Security researchers discover Zero-days in Kaspersky and FireEye anti-virus products

PC and Laptop owners install anti-virus products to protect them against cyber attacks but what happens if the security products themselves have zero-days which can be exploited by cyber criminals? Tavis Ormandy, a security researcher at Google, has discovered a zero-day in Kaspersky and FireEye anti-virus.

Ormandy who had earlier found ‘trivially compromised’ critical vulnerabilities in ESET anti-virus announced on Twitter that he had cracked the Kaspersky anti-virus before he had informed Kaspersky about the zero-day in their product :

Ormandy calls this flaw “a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets.”

Like earlier, Ormandy was criticized for his practice of disclosing vulnerabilities publicly rather than informing the company first and giving them time to fix the flaw. Luckily he marked the tweet cc to @ryanaraine who is a reporter with Threatpost which belongs to Kaspersky. Following the tweet, Kaspersky swung into action and rolled out a patch for the flaw to its anti-virus users all around the world.

Another researcher finds a zero-days in FireEye

Another researcher, Kristian Erik Hermansen also took the tweet street to announce a zero-day in FireEye, another of major anti-virus maker in the world.

Los Angeles-based researcher Hermansen claimed that he has discovered at least four flaws within FireEye’s core security product. He also revealed details of one of the vulnerabilities on Pastebin and offered other three for sale to highest bidder.

Hermansen posted details of how to trigger the remote file disclosure vulnerability as well as details of a file that is used to keep track of every registered user that has access to a particular system. The paste on pastebin states, “FireEye appliance, unauthorised remote root file system access. Oh cool, web server runs as root! Now that’s excellent security from a security vendor 🙂 Why would you trust these people to have this device on your network?”

The vulnerability allows those exploiting it to gain remote access to files while the three other exploits Hermansen claims to have discovered would allow users to bypass logins, along with two command injection vulnerabilities one of which is unauthorized and one authorized.

Hermansen said that he had discovered one of the zero-days some 18 months before and was “sitting on for more than 18 months with no fix from those security “experts” at FireEye.” After eliciting no response from FireEye/Mandiant, he decided to offer the zero-days to the highest bidder. He already seems to have received one offer for the zero-days.

LEAVE A REPLY

Please enter your comment!
Please enter your name here