Researchers have disclosed flaws in products from antivirus software
vendors like Kaspersky and FireEye that could be exploited by malicious
hackers.
Tavis Ormandy, a security researcher at Google’s Project
Zero team, made the vulnerabilities public by tweeting about the successful
exploitation Kaspersky's anti-virus product in such a way that users could find
their systems easily compromised by malicious hackers.
Ormandy last night tweeted, “Alright, sent Kaspersky some
more vulnerabilities to investigate, many obviously exploitable. I'll triage
the remaining bugs tomorrow.”
Earlier, he tweeted, “Alright, sent Kaspersky some more
vulnerabilities to investigate, many obviously exploitable. I'll triage the
remaining bugs tomorrow.”
According to a news report published in Graham Cluley, one
has to question the timing of Ormandy's announcement just before a long holiday
weekend in the United States, which clearly makes it difficult as possible for
a corporation to put together a response for concerned users. I supposed we
should be grateful that he at least ensured that Ryan Naraine, a reporter at
Kaspersky's Threatpost blog, was cc'd on the announcement.
“None of this, of course, is to say that the vulnerability
doesn't sound serious, and Kaspersky would be wise to investigate and fix it at
the earliest opportunity. Ideally vulnerabilities should be found by a
company's internal team, or ironed out before software ever gets released. And
it's better that someone like Ormandy finds a flaw rather than a malicious hacking
gang,” the news report added.
At the same time, Kristian Erik Hermansen, another security
researcher, revealed that he had found flaws in FireEye's software.
As CSO reports, Kristian Erik Hermansen has disclosed
details of a zero-day vulnerability, which - if exploited - can result in
unauthorised file disclosure.
He published proof-of-concept code showing that how the
vulnerability could be triggered, and claimed that he had found three other
vulnerabilities in FireEye's product. All are said to be up for sale.
"FireEye appliance, unauthorized remote root file
system access. Oh cool, web server runs as root! Now that's excellent security
from a _security_ vendor :) Why would you trust these people to have this
device on your network," Hermansen said. Just one of many handfuls of
FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no
fix from those security "experts" at FireEye. Pretty sure Mandiant
staff coded this and other bugs into the products. Even more sad, FireEye has
no external security researcher reporting process."