Security researchers discover Zero-days in Kaspersky and FireEye anti-virus products
PC and Laptop owners install anti-virus products to protect them against cyber attacks but what happens if the security products themselves have zero-days which can be exploited by cyber criminals? Tavis Ormandy, a security researcher at Google, has discovered a zero-day in Kaspersky and FireEye anti-virus.
Ormandy who had earlier found ‘trivially compromised’ critical vulnerabilities in ESET anti-virus announced on Twitter that he had cracked the Kaspersky anti-virus before he had informed Kaspersky about the zero-day in their product :
Okay, first Kaspersky exploit finished, works great on 15 and 16. Will mail report after dinner. /cc @ryanaraine pic.twitter.com/IpifiWpoEU
— Tavis Ormandy (@taviso) September 5, 2015
Ormandy calls this flaw “a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets.”
Like earlier, Ormandy was criticized for his practice of disclosing vulnerabilities publicly rather than informing the company first and giving them time to fix the flaw. Luckily he marked the tweet cc to @ryanaraine who is a reporter with Threatpost which belongs to Kaspersky. Following the tweet, Kaspersky swung into action and rolled out a patch for the flaw to its anti-virus users all around the world.
Kaspersky tell me they're rolling out a fix globally right now, that was less than 24hrs.
— Tavis Ormandy (@taviso) September 6, 2015
Another researcher finds a zero-days in FireEye
Another researcher, Kristian Erik Hermansen also took the tweet street to announce a zero-day in FireEye, another of major anti-virus maker in the world.
FireEye remote root file system access 0day — https://t.co/YabpDIkj6d
— ???????????????????? (@h3rm4ns3c) September 2, 2015
Los Angeles-based researcher Hermansen claimed that he has discovered at least four flaws within FireEye’s core security product. He also revealed details of one of the vulnerabilities on Pastebin and offered other three for sale to highest bidder.
FireEye — Unauthenticated Command Injection remote root 0day at module ??? in ??? parameter 😉 Will sell for $$$$$$
— ???????????????????? (@h3rm4ns3c) September 2, 2015
Hermansen posted details of how to trigger the remote file disclosure vulnerability as well as details of a file that is used to keep track of every registered user that has access to a particular system. The paste on pastebin states, “FireEye appliance, unauthorised remote root file system access. Oh cool, web server runs as root! Now that’s excellent security from a security vendor 🙂 Why would you trust these people to have this device on your network?”
The vulnerability allows those exploiting it to gain remote access to files while the three other exploits Hermansen claims to have discovered would allow users to bypass logins, along with two command injection vulnerabilities one of which is unauthorized and one authorized.
Hermansen said that he had discovered one of the zero-days some 18 months before and was “sitting on for more than 18 months with no fix from those security “experts” at FireEye.” After eliciting no response from FireEye/Mandiant, he decided to offer the zero-days to the highest bidder. He already seems to have received one offer for the zero-days.
@h3rm4ns3c looking for that follow back plz
— Mr.Moo (@Alshomranimoham) September 7, 2015
