Officials at the CERT Coordination Center are scrambling to determine the source of a persistent leak that led to yet another unauthorized disclosure of a security vulnerability last week.
A rogue security researcher, who goes by the mailing-list handle Hack4life, posted an advisory taken from CERT concerning a flaw in some PDF file readers. The posting was in the format of a submission from a researcher to CERT, not that of a bulletin from CERT to the public.
Hack4life has, on several previous occasions, posted CERT bulletins before the center was ready to release them. In each case the bulletins have appeared on the Full Disclosure mailing list.
Officials at CERT said the information in Hack4lifes posting came from a communication that the center sent to the vendors that get early notice of new vulnerabilities.
“We still at this point dont know which vendor it is [thats leaking the information],” said Jeffrey Carpenter, manager of CERT, based at Carnegie Mellon University, in Pittsburgh.
In the latest posting, Hack4life includes a few clues about his identity, although its impossible to tell whether theyre real, Carpenter said.
“OK, so Ive been a bit quiet recently, what with college and exams. But the semesters nearly over now, so Ill have plenty of time to keep you all up-to-date with what those fools at CERT are up to once college is finished,” Hack4life wrote in the posting.
CERT had plans to release its advisory on the PDF reader issue June 23, according to Hack4lifes posting, but Carpenter said no decision has been made on a release date. “Were getting back in contact with the vendors, as we would with any vulnerability that was leaked to the public,” he said.
The vulnerability appears in Adobe Systems Inc.s Acrobat Reader and a handful of other similar programs and enables a remote attacker to run code with local-user privileges.
The flaw allows attackers to execute shell commands on vulnerable machines by embedding them in PDF documents. The vulnerability affects readers on most Unix-based operating systems, according to the submission to CERT.
The security community, however, appears to have tired of Hack4lifes antics. Unlike the other CERT vulnerability documents Hack4life has leaked, the PDF vulnerability warning generated virtually no reaction from other members of the Full Disclosure list.