Vulnerability Accidentally Disclosed

Thursday, May 30, 2013 @ 06:05 PM gHale


Because of an error, vulnerabilities reported to Secunia’s Vulnerability Coordination Reward Program ended up on a public mailing list instead of a private list.

Secunia’s Advisory Team Lead, Chaitanya Sharma, wanted to send an email to the “vuln” address at Secunia. However, likely because of the autocomplete feature, the email erroneously went to the “vim” address at Attrition.com, the mailing list for Vulnerability Information Managers.

RELATED STORIES
Google Gives 7-Day Patch Period
DHS Software Possibly Leaked Data
Port Scans Find Insecure Devices
Flaws in Universal Plug and Play

The email contained some details regarding vulnerabilities in ERDAS ER Viewer, an image viewing app developed by Intergraph that allows customers to view large JPEG 2000 and ECW files.

The freeware application sees use by numerous organizations, including ones from the defense sector.

In a statement published after the incident came to light, Morten R. Stengaard, CTO at Secunia, said the vendor in question got an immediate notification. A patch is in the process of getting ready to address the vulnerability.

“Secunia is going through all procedures to ensure that this cannot happen in future,” Stengaard said.



Leave a Reply

You must be logged in to post a comment.