CERT Seeks Source of Adobe PDF Flaw Leak | eWeek

CERT Seeks Source of Adobe PDF Flaw Leak

Écrit par
Dennis Fisher
Dennis Fisher
Jun 23, 2003
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Officials at the CERT Coordination Center are scrambling to determine the source of a persistent leak that led to yet another unauthorized disclosure of a security vulnerability last week.

A rogue security researcher, who goes by the mailing-list handle Hack4life, posted an advisory taken from CERT concerning a flaw in some PDF file readers. The posting was in the format of a submission from a researcher to CERT, not that of a bulletin from CERT to the public.

Hack4life has, on several previous occasions, posted CERT bulletins before the center was ready to release them. In each case the bulletins have appeared on the Full Disclosure mailing list.

Officials at CERT said the information in Hack4lifes posting came from a communication that the center sent to the vendors that get early notice of new vulnerabilities.

UnCERTainty

Advisories leaked recently

  • March 15 Flaws in OpenSSL and Kerberos
  • March 16 Vulnerability in Suns XDR
  • June 13 Flaw in some PDF readers

UnCERTainty

Advisories leaked recently

  • March 15 Flaws in OpenSSL and Kerberos
  • March 16 Vulnerability in Suns XDR
  • June 13 Flaw in some PDF readers

UnCERTainty

Advisories leaked recently

  • March 15 Flaws in OpenSSL and Kerberos
  • March 16 Vulnerability in Suns XDR
  • June 13 Flaw in some PDF readers

“We still at this point dont know which vendor it is [thats leaking the information],” said Jeffrey Carpenter, manager of CERT, based at Carnegie Mellon University, in Pittsburgh.

In the latest posting, Hack4life includes a few clues about his identity, although its impossible to tell whether theyre real, Carpenter said.

“OK, so Ive been a bit quiet recently, what with college and exams. But the semesters nearly over now, so Ill have plenty of time to keep you all up-to-date with what those fools at CERT are up to once college is finished,” Hack4life wrote in the posting.

CERT had plans to release its advisory on the PDF reader issue June 23, according to Hack4lifes posting, but Carpenter said no decision has been made on a release date. “Were getting back in contact with the vendors, as we would with any vulnerability that was leaked to the public,” he said.

The vulnerability appears in Adobe Systems Inc.s Acrobat Reader and a handful of other similar programs and enables a remote attacker to run code with local-user privileges.

The flaw allows attackers to execute shell commands on vulnerable machines by embedding them in PDF documents. The vulnerability affects readers on most Unix-based operating systems, according to the submission to CERT.

The security community, however, appears to have tired of Hack4lifes antics. Unlike the other CERT vulnerability documents Hack4life has leaked, the PDF vulnerability warning generated virtually no reaction from other members of the Full Disclosure list.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.