Sounds like it’s going to be a busy few days for R&D and PR departments at least two security companies.
This weekend, vulnerability researchers have separately disclosed flaws in products from Kaspersky and FireEye that could be exploited by malicious hackers.
Ormandy, a security researcher at Google, has made a controversial name for himself over the years disclosing security vulnerabilities in products from other software vendors.
His critics, of which I’m one, fear that he has sometimes put innocent users at risk by not working on a co-ordinated disclosure with the manufacturer of the vulnerable software, ensuring that all users are protected with a patch before details of how to exploit the flaw are made public.
At the end of last week, Ormandy tweeted that he had successfully exploited Kaspersky’s anti-virus product in such a way that users could find their systems easily compromised by malicious hackers.
— Tavis Ormandy (@taviso) September 5, 2015
Ormandy has previously published details of how he has exploited anti-virus products from Sophos and ESET.
In a follow-up to his latest announcement, Ormandy tweeted that the flaw was “a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets.”
One has to question the timing of Ormandy’s announcement just before a long holiday weekend in the United States, which clearly makes it difficult as possible for a corporation to put together a response for concerned users. I supposed we should be grateful that he at least ensured that Ryan Naraine, a reporter at Kaspersky’s Threatpost blog, was cc’d on the announcement.
None of this, of course, is to say that the vulnerability doesn’t sound serious, and Kaspersky would be wise to investigate and fix it at the earliest opportunity. Ideally vulnerabilities should be found by a company’s internal team, or ironed out before software ever gets released. And it’s better that someone like Ormandy finds a flaw rather than a malicious hacking gang.
Nonetheless, one remains concerned that in the past malicious hackers have taken details of flaws published by Google’s Tavis Ormandy, and used them in attacks.
As CSO reports, Kristian Erik Hermansen has disclosed details of a zero-day vulnerability, which – if exploited – can result in unauthorised file disclosure.
Regrettably, Hermansen published proof-of-concept code showing how the vulnerability could be triggered, and claimed that he had found three other vulnerabilities in FireEye’s product. All are said to be up for sale.
“FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that’s excellent security from a _security_ vendor :) Why would you trust these people to have this device on your network.”
“Just one of many handfuls of FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no fix from those security “experts” at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process.”
If you use products from Kaspersky or FireEye you may wish to contact their technical support departments to see if they can shed any more light on these issues. Be sure to be nice to them. Chances are they didn’t have a great holiday weekend.
According to Ormandy, Kaspersky is rolling out a fix globally. That sounds like a great response from the Russian anti-virus firm.
Kaspersky tell me they're rolling out a fix globally right now, that was less than 24hrs.
— Tavis Ormandy (@taviso) September 6, 2015
Kaspersky has been in touch with an official statement:
“We would like to thank Mr. Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure. A fix has already been distributed via automatic updates to all our clients and customers. We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable.”
Update #2 (8 September 2015):
FireEye has returned from the Labor Day weekend with its own statement about the vulnerabilities reportedly found in its products:
“Yesterday, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase. We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure. FireEye has a documented policy for researchers to responsibly disclose and inform us of potential security issues. We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.”
However, Kristian Hermansen is seemingly unimpressed: Researcher demands FireEye pay up for zero-day vulnerabilities or suffer his ‘cold silence’