Secunia accidentally drops zero-day on public mailing list

By on

Autocomplete error.

Vulnerability management firm Secunia has apologised after an undisclosed vulnerability was sent to a public emailing list.

The unpatched vulnerability related to an image viewing application made by Intergraph which sells products to the defence and transport sectors.

The email was supposed to be addressed to the vulnerability address at Secunia however an apparent auto-fill mistake address sent the email to the Vulnerability Information Managers mailing list.

The email said that the ERDAS ER software has two unpatched flaws: one being a stack-based buffer overflow that was initially disclosed to Secunia, and the second was supposedly patched in April by Intergraph, but Secunia reported the fix was only released to ‘a restricted audience'.

Secunia CTO Morten Stengaard offered his ‘sincere apologies' after a story appeared in Security Week.

“Earlier this month, a researcher discovered two vulnerabilities within an application, and were coordinating them via the Secunia SVCRP program.

“While coordinating with the researcher, one email was accidentally sent from Secunia to a public emailing list, thereby making information about one of the vulnerabilities publicly available.

“Upon realising the mistake, Secunia immediately informed the vendor in question, who is currently working to create a patch for the vulnerability. Secunia is going through all procedures to ensure that this cannot happen in future.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?