Leaked Bug Alerts Cause a Stir

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,58106,00.html

By Brian McWilliams
March 19, 2003

Riley Hassell was bewildered this week when details from a
confidential bug report he had written mysteriously showed up on a
popular security mailing list.

Hassell, a security researcher for eEye Digital Security, had
explained in writing a flaw he discovered in widely used Internet
software from Sun Microsystems. The problem was so severe that Hassell
had agreed to keep his advisory secret for several weeks until Sun and
other vendors could create fixes for the affected applications.

But an anonymous person using the e-mail account
Hack4life () hushmail com apparently thought the information shouldn't be
kept under wraps.

On Sunday, Hack4life posted an advisory containing the bug's specifics
to the Full-Disclosure security mailing list. Hack4life also posted a
warning about a separate security flaw discovered by researchers at
MIT that wasn't supposed to be published until June.

Hack4life apparently intercepted both documents from the Computer
Emergency Response Team, a federally funded security information
clearinghouse. CERT officials confirmed this week that CERT had been
working with eEye and MIT researchers to coordinate the release of the
advisories. According to CERT, intruders may have hacked into systems
operated by any of the dozens of affected vendors who received advance
copies of the advisories.

"It is possible that these messages were posted as a result of a
compromise of a vendor's system, and we are advising them to look for
signs of a compromise," said Shawn Hernan, vulnerability handling team
leader for CERT.

Many read the incident as a protest over CERT's attempt to control the
vulnerability disclosure process. When notified by researchers about
security bugs, CERT typically works with vendors to prepare software
patches prior to the public release of the vulnerability information.

CERT also gives an advance warning about flaws to members of the
Internet Security Alliance, an information-sharing consortium. ISA
members pay a fee to CERT to receive early notification of
vulnerability information.

In January, Mark Litchfield, a security researcher with NGS Software,
threatened to boycott CERT after learning that information his company
confidentially provided to the clearinghouse was distributed first to
ISA, and only weeks later to the general public.

In an e-mail interview, Litchfield said he was not aware of the
weekend CERT leaks. But he didn't seem surprised that the group could
be vulnerable to occasional security glitches.

"Just goes to show how much they can actually be trusted," he wrote.

Chris Wysopal, director of research and development for AtStake, said
the leaked advisories point out the fragility of CERT's
information-handling process.

"The pre-release vulnerability info flow is a juicy and obvious
target," he said.

E-mail exchanges between CERT and affected vendors often contain
details about reproducing and exploiting vulnerabilities that are
censored from reports released to the public. Leaks of such
information can put vendors and their customers at great risk, Wysopal
said.

Hernan said CERT uses encryption to protect unpublished advisories
from prying eyes. But while CERT is still investigating the incident,
Hernan did not express optimism that the perpetrator could be caught.

"Ultimately, if an individual chooses to take information and post it
anonymously to a mailing list, that's a difficult thing to track
down," he said.

Hack4life did not explain the motive behind posting the CERT
advisories. In an e-mail interview, Hack4life said only that the
leaked reports were "draft CERT advisories sent to a vendor before
release," but did not immediately respond to requests for more
information.

In response to the leak, Hassell said eEye would shortly be releasing
its advisory on the Sun security flaw, which lies in a set of software
libraries used by many Unix programs.

In an attempt to mitigate damage from the leaked advisories, MIT
security researcher Tom Yu requested that his paper be removed from
the Full-Disclosure archive, according to list moderator Len Rose.  
Yu's paper, co-authored with MIT colleague Sam Hartman, was the basis
for a draft CERT vulnerability note detailing cryptographic flaws in
the Kerberos authentication protocol.

Also among the CERT reports posted without authorization was a third
advisory based on an article about attacks on the OpenSSL Internet
security standard published by researchers at Stanford University
earlier this month.

In a posting to the list Monday, Rose said he refused Yu's request,
because such a move would violate the editorial integrity of the
list's archives. Yu was not immediately available for comment.

CERT representatives declined to say when the organization planned to
release official versions of the leaked advisories.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.