‘Major’ Flaws Found In Kaspersky, FireEye Security Products

Some of the leading security products on the market have been reportedly compromised by a raft of dangerous vulnerabilities, researchers have claimed.

The affected products include offerings from Kaspersky and FireEye, and reportedly involve zero-day vulnerabilities which could put users’ private files at risk, according to IBTimes.


FireEye’s security product was apparently hacked by Los Angeles-based researcher Kristian Erik Hermansen, who revealed on Twitter that he had found ‘at least four’ security flaws in the company’s core product.

Revealing details of one flaw – which among other things could allow those exploiting it to gain remote access to files and also allowing users to bypass logins, Hermansen said he was putting the other three up for sale to the highest bidder, having sat on the first vulnerability for more than 18 months with no fix from those security “experts” at FireEye.”

The disclosed vulnerability involves triggering the remote file disclosure vulnerability as well as details of a file that is used to keep track of every registered user that has access to a particular system.

Hermansen published details about the remote file disclosure vulnerability on Pastebin and Exploit-DB saying: “FireEye appliance, unauthorised remote root file system access. Oh cool, web server runs as root! Now that’s excellent security from a security vendor 🙂 Why would you trust these people to have this device on your network?”

FireEye responded with a statement saying that it ‘appreciated’ Hermansen’s efforts, and has reached out to him for more information.

“Yesterday, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase,” the statement said.

“We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure. FireEye has a documented policy for researchers to responsibly disclose and inform us of potential security issues. We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.”

‘As bad as it gets’

Elsewhere, Kaspersky’s anti-virus product was hacked by Google security researcher Travis Ormandy, who claimed on Twitter to have found “a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets.”

Ormandy says that Kaspersky has already begun to roll out a patch for the flaw to its users around the world.

Ormandy has been criticised in the cybersecurity industry for his practice of disclosing vulnerabilities publicly rather than informing the company first and giving them time to fix the flaw, but claims to have already told Kaspersky about this latest vulnerability before the patch was released.

“We would like to thank Mr. Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure,” a Kaspersky Labs spokesperson told TechWeekEurope.

“A fix has already been distributed via automatic updates to all our clients and customers. We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). “

“Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable.”

Are you a security expert? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

BNP Paribas Joins JP Morgan Blockchain Trading Network

French bank BNP Paribas becomes first European bank to join JP Morgan's blockchain-based Onyx Digital…

15 hours ago

SEC Held Off Elon Musk Enforcement ‘Due To Court Fears’

US securities regulators may have refrained from enforcement actions against Elon Musk due to discouraging…

16 hours ago

Snap Earnings Warning Triggers Tech Sell-Off

Investors spooked after Snap warns of deteriorating economic conditions, says earnings now 'below the low…

18 hours ago

Russian Operator Discounts Smartphones As Sanctions Bite

Biggest Russian mobile operator MTS begins selling discounted and second-hand smartphones as Russians hit by…

18 hours ago

Clearview AI Fined £7.5m Over Facial Recognition Data

UK Information Commissioner's Office orders controversial facial recognition firm Clearview AI to delete data it…

19 hours ago

Airbnb To Pull Out Of China Amidst ‘Pandemic Challenges’

Airbnb to pull out of China as ongoing zero-Covid policy places severe restrictions on domestic…

20 hours ago