Renegade researchers uncover significant vulnerabilities in offerings from leading security vendors
Some of the leading security products on the market have been reportedly compromised by a raft of dangerous vulnerabilities, researchers have claimed.
FireEye’s security product was apparently hacked by Los Angeles-based researcher Kristian Erik Hermansen, who revealed on Twitter that he had found ‘at least four’ security flaws in the company’s core product.
Revealing details of one flaw – which among other things could allow those exploiting it to gain remote access to files and also allowing users to bypass logins, Hermansen said he was putting the other three up for sale to the highest bidder, having sat on the first vulnerability for more than 18 months with no fix from those security “experts” at FireEye.”
The disclosed vulnerability involves triggering the remote file disclosure vulnerability as well as details of a file that is used to keep track of every registered user that has access to a particular system.
Hermansen published details about the remote file disclosure vulnerability on Pastebin and Exploit-DB saying: “FireEye appliance, unauthorised remote root file system access. Oh cool, web server runs as root! Now that’s excellent security from a security vendor 🙂 Why would you trust these people to have this device on your network?”
FireEye responded with a statement saying that it ‘appreciated’ Hermansen’s efforts, and has reached out to him for more information.
“Yesterday, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase,” the statement said.
“We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure. FireEye has a documented policy for researchers to responsibly disclose and inform us of potential security issues. We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.”
‘As bad as it gets’
Elsewhere, Kaspersky’s anti-virus product was hacked by Google security researcher Travis Ormandy, who claimed on Twitter to have found “a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets.”
Ormandy says that Kaspersky has already begun to roll out a patch for the flaw to its users around the world.
Ormandy has been criticised in the cybersecurity industry for his practice of disclosing vulnerabilities publicly rather than informing the company first and giving them time to fix the flaw, but claims to have already told Kaspersky about this latest vulnerability before the patch was released.
“We would like to thank Mr. Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure,” a Kaspersky Labs spokesperson told TechWeekEurope.
“A fix has already been distributed via automatic updates to all our clients and customers. We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). “
“Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable.”
Are you a security expert? Try our quiz!