March 24, 2003, 2:10 PM — An individual using the name "hack4life" sent another internal CERT Coordination Center memo to an online discussion list Friday, detailing a product vulnerability that hadn't yet been disclosed, in what appears to have been the fourth such incident last week.
The leaked e-mail message, from Ian Finlay, an Internet systems security analyst at CERT, concerned a message from Microsoft Corp. to CERT regarding a vulnerability in Web redirectors, which forward a visitor from one Internet domain to another.
Microsoft is concerned that such sites are being used by organizations and individuals to disguise the source of spam e-mail, making it look like it comes from legitimate sources, according to Finlay's message. In addition, the widespread exploitation of such redirection servers, which are calibrated to handle an expected volume of traffic, could constitute a denial of service (DOS) attack against the organizations that use those servers, Finlay wrote.
In a note that preceded the leaked e-mail, the individual responsible for posting the message apologized to the hacker community for the low severity level of the reported problem.
"Your mileage with this vulnerability may vary; some people will think it's irrelevant; some may be able to make use of it," hack4life wrote. "CERT obviously thinks it's worth while, so I've take (sic) the choice out of their hands too and released it anyway," the note said.
The leaked e-mail regarding the Web page redirect problem follows three similar posts, apparently from the same individual, on March 16. Those vulnerabilities concerned security problems being researched by CERT, but that had not been disclosed to the public:
-- A buffer overflow vulnerability in a software library used by many Unix and Linux operating systems and applications;
-- A technique for attacking and breaking encryption on Web servers that use SSL (Secure Sockets Layer);
-- Cryptographic vulnerabilities in the Kerberos Version 4 protocol that could allow an attacker to impersonate a user in a Kerberos realm and gain privileged access.
CERT believes that all of the leaks came from information shared with vendors.
"The particular text that he posted was taken directly from e-mail messages sent to the vendor community," said Shawn Hernan, team leader for vulnerability handling at CERT.
CERT customarily shares such information with vendors when it is developing vulnerability notices and alerts, Hernan said. The organization had narrowed its focus to "a fairly sizeable group" of those vendors with which CERT has long-standing relationships, Hernan said.
CERT encrypts correspondence about vulnerabilities when it sends that information to vendors. Each vendor maintains its own unique encryption key for deciphering and viewing the information after it is received.