Fourth CERT document is leaked online

An individual using the name "hack4life" sent another internal CERT Coordination Center memo to an online discussion list Friday, detailing a product vulnerability that hadn't yet been disclosed, in what appears to have been the fourth such incident last week.

The leaked e-mail message, from Ian Finlay, an Internet systems security analyst at CERT, concerned a message from Microsoft Corp. to CERT regarding a vulnerability in Web redirectors, which forward a visitor from one Internet domain to another.

Microsoft is concerned that such sites are being used by organizations and individuals to disguise the source of spam e-mail, making it look like it comes from legitimate sources, according to Finlay's message. In addition, the widespread exploitation of such redirection servers, which are calibrated to handle an expected volume of traffic, could constitute a denial of service (DOS) attack against the organizations that use those servers, Finlay wrote.

In a note that preceded the leaked e-mail, the individual responsible for posting the message apologized to the hacker community for the low severity level of the reported problem.

"Your mileage with this vulnerability may vary; some people will think it's irrelevant; some may be able to make use of it," hack4life wrote. "CERT obviously thinks it's worth while, so I've take (sic) the choice out of their hands too and released it anyway," the note said.

The leaked e-mail regarding the Web page redirect problem follows three similar posts, apparently from the same individual, on March 16. Those vulnerabilities concerned security problems being researched by CERT, but that had not been disclosed to the public:

-- A buffer overflow vulnerability in a software library used by many Unix and Linux operating systems and applications;

-- A technique for attacking and breaking encryption on Web servers that use SSL (Secure Sockets Layer);

-- Cryptographic vulnerabilities in the Kerberos Version 4 protocol that could allow an attacker to impersonate a user in a Kerberos realm and gain privileged access.

CERT believes that all of the leaks came from information shared with vendors.

"The particular text that he posted was taken directly from e-mail messages sent to the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT.

CERT customarily shares such information with vendors when it is developing vulnerability notices and alerts, Hernan said. The organization had narrowed its focus to "a fairly sizeable group" of those vendors with which CERT has long-standing relationships, Hernan said.

CERT encrypts correspondence about vulnerabilities when it sends that information to vendors. Each vendor maintains its own unique encryption key for deciphering and viewing the information after it is received.

To view information in the message, an intruder would have to defeat the PGP (pretty good privacy) or SSL (secure sockets layer) keys used to encrypt the comment, which Hernan said was "highly unlikely." If the messages were stored in decrypted form on a compromised e-mail server, an intruder could obtain the information that way as well, Hernan said.

The most likely scenario, however, was that the culprit was in a position to obtain the decrypted information, possibly as part of a development team assigned to evaluate or fix the problems, Hernan said.

Hernan discounted that a CERT employee leaked the information, saying that CERT insiders have access to more sensitive issues that would be more attractive targets for premature disclosure than the items published by hack4life.

CERT is working with the software vendors that are most likely to be affected by the premature disclosures and is taking other measures to respond to the leaks, Hernan said.

If the person responsible for the leak is a "maverick" employee of one of the vendors CERT is communicating with, however, it may be difficult to prevent future disclosures, Hernan said.

CERT would not comment on whether law enforcement had been contacted concerning the leaks, but the difficulty in determining the location of the person responsible for the leaks could complicate any criminal investigation, Hernan said.

The organization, which is affiliated with Carnegie Mellon University in Pittsburgh, will continue to thoroughly research the leaked issues before publishing an alert.

"We feel there's a real benefit in making sure issues are properly scoped and researched before they are made public," Hernan said.

However, the premature disclosures changed the priority of those issues, Hernan said.

Hernan took aim at the person responsible for the leaks, saying that the author's tone in the posts to the discussion list was "petulant" and that he would have more respect for the author's opinions about disclosing product vulnerabilities if the person would give his or her name.

Publishing product vulnerabilites before a patch is available does not send a message about the benefits of full disclosure, but means that research on more important vulnerabilites must be postponed so that vendors can address the leaked problems, Hernan said.

"I have no quarrel with the full disclosure community, but I do have a quarrel with the stupid disclosure community," Hernan said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?