Sounds like it’s going to be a busy few days for R&D and PR departments at least two security companies.
This weekend, vulnerability researchers have separately disclosed flaws in products from Kaspersky and FireEye that could be exploited by malicious hackers.
First up was Tavis Ormandy.
Ormandy, a security researcher at Google, has made a controversial name for himself over the years disclosing security vulnerabilities in products from other software vendors.
His critics, of which I’m one, fear that he has sometimes put innocent users at risk by not working on a co-ordinated disclosure with the manufacturer of the vulnerable software, ensuring that all users are protected with a patch before details of how to exploit the flaw are made public.
At the end of last week, Ormandy tweeted that he had successfully exploited Kaspersky’s anti-virus product in such a way that users could find their systems easily compromised by malicious hackers.
Okay, first Kaspersky exploit finished, works great on 15 and 16. Will mail report after dinner. /cc @ryanaraine pic.twitter.com/IpifiWpoEU
— Tavis Ormandy (@taviso) September 5, 2015
Ormandy has previously published details of how he has exploited anti-virus products from Sophos and ESET.
In a follow-up to his latest announcement, Ormandy tweeted that the flaw was “a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets.”
One has to question the timing of Ormandy’s announcement just before a long holiday weekend in the United States, which clearly makes it difficult as possible for a corporation to put together a response for concerned users. I supposed we should be grateful that he at least ensured that Ryan Naraine, a reporter at Kaspersky’s Threatpost blog, was cc’d on the announcement.
None of this, of course, is to say that the vulnerability doesn’t sound serious, and Kaspersky would be wise to investigate and fix it at the earliest opportunity. Ideally vulnerabilities should be found by a company’s internal team, or ironed out before software ever gets released. And it’s better that someone like Ormandy finds a flaw rather than a malicious hacking gang.
Nonetheless, one remains concerned that in the past malicious hackers have taken details of flaws published by Google’s Tavis Ormandy, and used them in attacks.
Meanwhile, another security researcher had an important announcement this US holiday weekend, revealing that he had found flaws in FireEye’s software.
As CSO reports, Kristian Erik Hermansen has disclosed details of a zero-day vulnerability, which – if exploited – can result in unauthorised file disclosure.
Regrettably, Hermansen published proof-of-concept code showing how the vulnerability could be triggered, and claimed that he had found three other vulnerabilities in FireEye’s product. All are said to be up for sale.
“FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that’s excellent security from a _security_ vendor :) Why would you trust these people to have this device on your network.”
“Just one of many handfuls of FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no fix from those security “experts” at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process.”
If you use products from Kaspersky or FireEye you may wish to contact their technical support departments to see if they can shed any more light on these issues. Be sure to be nice to them. Chances are they didn’t have a great holiday weekend.
Update:
According to Ormandy, Kaspersky is rolling out a fix globally. That sounds like a great response from the Russian anti-virus firm.
Kaspersky tell me they're rolling out a fix globally right now, that was less than 24hrs.
— Tavis Ormandy (@taviso) September 6, 2015
Kaspersky has been in touch with an official statement:
“We would like to thank Mr. Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure. A fix has already been distributed via automatic updates to all our clients and customers. We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable.”
Update #2 (8 September 2015):
FireEye has returned from the Labor Day weekend with its own statement about the vulnerabilities reportedly found in its products:
“Yesterday, FireEye learned of four potential security issues in our products from Kristian Hermansen’s public disclosure of them being available for purchase. We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure. FireEye has a documented policy for researchers to responsibly disclose and inform us of potential security issues. We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.”
However, Kristian Hermansen is seemingly unimpressed: Researcher demands FireEye pay up for zero-day vulnerabilities or suffer his ‘cold silence’
(Ryan works for Kaspersky itself, not for Threatpost.)
Although I don't think it's an excuse to offer bounties up for sale, it's worth noting that FireEye has allegedly threatened to sue researchers who reported vulnerabilities – for reasons that Oracle's MAD would probably approve of.
I do wish security vendors started to offer bug bounty programs, or at least treated vulnerability disclosure seriously.
Hi,
I know for a fact that Avast does pay researchers for vulns,and after a guy named Korret discovered many AV mobile apps had vulnerabilities Avast willingly and gladly rewarded him a substantial amount of cash. I think it was between 5 & 6 figure. I believe the presentation was Blackhat 2014 Asia conference. Anyways,most of the AV venders either ignored him,and or ridiculed and threatened him for his efforts. Typical of arrogant AV venders like Fireeye! I will dig up the article. Stay tuned.
Ok,here is the story from last years Syscan presentation about Korrets findings.http://m.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die/
And this bit from pcworld about Kaspersky:
The issues in Kaspersky Lab’s antivirus products that were outlined in Koret’s presentation, namely the absence of ASLR in some components and a potential denial-of-service issue when scanning nested archives, are not critical to the security protection of the company’s customers, a Kaspersky representative said via email. Software that is written without ASLR is not implicitly more vulnerable to exploits, but Kaspersky Lab added ASLR to the product components that were lacking it—vlns.kdl and avzkrnl.dll—after Koret’s presentation, he said.
And check this out about over 30,000 apps in playstore with MALWARE:
http://www.theregister.co.uk/2015/08/31/massvet_finding_unknown_malice_in_10_seconds_mass_vetting_for_new_threats_at_the_googleplay_scale/
Tossed that in because it's not getting the attention it deserves,so please pass it along,thanks.
And, consider, that FireEye's problem has been there for over 18 months and has still not been fixed, despite being in the public forum now. For a security product, that's disgusting!
Not to mention that these vulnerabilities are _disturbingly_ simple.
A single run with AppScan or Zap would have found these flaws. This is laziness, lack of focus and incompetence at their worse.
Fireeye seems like a throwback to mid-2000's "security" vendors like Lumigent who made your systems markedly less secure by implementing them.
Kudos to the folks at Kaspersky, first for hustling out a patch so quickly, and secondly for having way more professionalism and class than Mr. Ormandy has in irresponsibly disclosing the vulnerability on a zero-day basis.
For the record, I wouldn't dream of accusing "taviso" of being an arrogant, smirking little twerp who doesn't have the wits or character to discern the difference between notoriety and good reputation, so just put that thought out of your head right now. But the photo shown in the article does convey a certain…uh, shall we say "impression" of his attitude.