Researchers have disclosed flaws in products from antivirus software vendors like Kaspersky and FireEye that could be exploited by malicious hackers.
Tavis Ormandy, a security researcher at Google’s Project Zero team, made the vulnerabilities public by tweeting about the successful exploitation Kaspersky’s anti-virus product in such a way that users could find their systems easily compromised by malicious hackers.
Ormandy last night tweeted, “Alright, sent Kaspersky some more vulnerabilities to investigate, many obviously exploitable. I’ll triage the remaining bugs tomorrow.”
Earlier, he tweeted, “Alright, sent Kaspersky some more vulnerabilities to investigate, many obviously exploitable. I’ll triage the remaining bugs tomorrow.”
According to a news report published in Graham Cluley, one has to question the timing of Ormandy’s announcement just before a long holiday weekend in the United States, which clearly makes it difficult as possible for a corporation to put together a response for concerned users. I supposed we should be grateful that he at least ensured that Ryan Naraine, a reporter at Kaspersky’s Threatpost blog, was cc’d on the announcement.
“None of this, of course, is to say that the vulnerability doesn’t sound serious, and Kaspersky would be wise to investigate and fix it at the earliest opportunity. Ideally vulnerabilities should be found by a company’s internal team, or ironed out before software ever gets released. And it’s better that someone like Ormandy finds a flaw rather than a malicious hacking gang,” the news report added.
At the same time, Kristian Erik Hermansen, another security researcher, revealed that he had found flaws in FireEye’s software.
As CSO reports, Kristian Erik Hermansen has disclosed details of a zero-day vulnerability, which – if exploited – can result in unauthorised file disclosure.
He published proof-of-concept code showing that how the vulnerability could be triggered, and claimed that he had found three other vulnerabilities in FireEye’s product. All are said to be up for sale.
“FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that’s excellent security from a _security_ vendor 🙂 Why would you trust these people to have this device on your network,” Hermansen said. Just one of many handfuls of FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no fix from those security “experts” at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process.”