Secunia apologises over vulnerabilty disclosure on mailing list
Vulnerability management firm Secunia has apologised after an undisclosed vulnerability was sent to a public emailing list.
In a statement, Secunia CTO Morten Stengaard offered his ‘sincere apologies' after a story appeared in Security Week. He said: “Earlier this month, a researcher discovered two vulnerabilities within an application, and were coordinating them via the Secunia SVCRP program.
“While coordinating with the researcher, one email was accidentally sent from Secunia to a public emailing list, thereby making information about one of the vulnerabilities publicly available.
“Upon realising the mistake, Secunia immediately informed the vendor in question, who is currently working to create a patch for the vulnerability. Secunia is going through all procedures to ensure that this cannot happen in future.”
The article by Security Week revealed that the unpatched vulnerability was within the image viewing application Intergraph and the email was supposed to be addressed to the ‘vuln' address at Secunia. However an apparent auto-fill mistake address sent the email to the Vulnerability Information Managers mailing list.
Intergraph creates software that is used in the defence and intelligence sector (anti-terror/geospatial intelligence), as well as emergency, electric, road, rail, airport and seaport infrastructure management. The email said that the ERDAS ER software has two unpatched flaws: one being a stack-based buffer overflow that was initially disclosed to Secunia, and the second was supposedly patched in April by Intergraph, but Secunia reported the fix was only released to ‘a restricted audience'.