An anonymous person has again posted vulnerability information gleaned from the Computer Emergency Response Center (CERT) approximately 10 days in advance of CERT's intended release of information to the public.
The vulnerability involves Adobe PDF files; the files might be able to execute arbitrary commands on a system viewing a PDF file that contains malicious hyperlinks.
In past months, the anonymous poster who goes by the alias "Hack4life," has somehow managed to obtain private information from CERT without the company's knowledge and subsequently disclosed that information to the public before vendors were ready to do so. CERT works with vendors who experience security problems to coordinate patch and information release. The anonymous person's antics undermine that process.
In a previous instance of leaking CERT information, the anonymous poster portrayed himself (or herself) as a blackhat intruder saying that the impetus for such leaks was to provide intruders plenty of time to exploit the vulnerabilities before vendors have time to produce a patch and users have a chance to apply the patch to their systems. In any case, the poster said that there would be continued information leaks and that future leaks would be late in the day on Fridays, when many people responsible for producing security patches and apply security patches would be away for the weekend.
As with previous information leaks, this latest leak was sent to both the Full Disclosure mailing and the Bugtraq mailing list late in the day on Friday, June 13. The Full Disclosure mailing list is unmoderated, so the message was distributed to readers immediately; however, the Bugtraq mailing list is moderated and apparently the moderators chose not to let the message through to the list readers so the information leak didn't get published on that list.
Such leaks cast a shadow of irony over the CERT organization with it being exploited while trying to protect users against exploits. CERT has said in the past that it's working to identify the source of the information leaks, but apparently it hasn't identified the culprit.
The antics also cast dark shadows in other areas too, such as upon advocates of full disclosure, unmoderated mailing lists, and the http://www.hushmail.com email service the anonymous person used to leak the information. What's more, the leaks are in stark contrast to responsible vulnerability disclosure and reporting policies, such as RFPolicy, long in use by security researchers. And the leaks are also in stark contrast to the newly proposed reporting and disclosure policy recently offered by the Organization for Internet Safety, which is headed by various corporations with direct interests in the security industry.
