lolloj - Fotolia
Security researchers have disclosed vulnerabilities that could be exploited by cyber attackers in products from Kaspersky Lab and FireEye.
Controversial Google security researcher Tavis Ormandy tweeted that he had tested a successful exploit of a vulnerability in Kaspersky Lab’s antivirus software.
Ormandy tweeted about the exploit on 5 September 2015, copying in Kaskpersky Lab Threatpost blogger Ryan Naraine, followed by a tweet the next day saying Kaspersky Lab was rolling out a fix.
Naraine responded to the second tweet by thanking Ormandy for his work, but the researcher has come under fire from other software suppliers in the past for premature vulnerability disclosures.
Microsoft has been particularly critical on Ormandy in the past for disclosing vulnerabilities in its software before its developers had time to develop a security update.
Kaspersky Lab is not the first security software firm to receive attention from Ormandy. He previously published details of how he exploited antivirus products from Sophos and ESET.
According to Ormandy, the Kaspersky Lab flaw is a remote, zero-interaction System exploit in default config.
Independent security advisor Graham Cluley said it is better someone such as Ormandy finds a flaw, rather than a malicious hacking gang.
“Nonetheless, one remains concerned that malicious hackers have taken details of flaws published by Google’s Tavis Ormandy in the past and used them in attacks,” Cluley wrote in a blog post.
Echoing Naraine’s comments, Kaspersky Lab thanked Ormandy for reporting what the company termed “a buffer overflow vulnerability”.
The company said the vulnerability had been fixed within 24 hours of its disclosure and the fix had already been distributed via automatic updates to its customers.
“We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future,” Kaspersky Lab said in a statement.
“For instance, we already use such technologies as Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP),” the company said.
The statement added that Kaspersky Lab has always supported the assessment of its software by independent researchers.
“Their ongoing efforts help us to make our solutions stronger, more productive and more reliable,” the company said.
The zero-day is in a PHP script on FireEye’s core security appliance and, if exploited, could result in unauthorised file disclosure, according to CSO.
“FireEye appliance, unauthorised remote root file system access – the web server runs as root. Now that’s excellent security from a security vendor. Why would you trust these people to have this device on your network?” wrote Hermansen in a note that accompanied the disclosure and proof.
He also claimed the flaw was just “one of many handfuls” of FireEye/Mandiant zero-days.
“Been sitting on this for more than 18 months with no fix from those security ‘experts’ at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process,” wrote Hermansen.
This lack of vulnerability reporting process is a typical problem encountered by security researchers. In a recent research into the security flaws of internet-connected baby monitors, Rapid7 researcher Mark Stanislav found only two out of eight suppliers he approached with his findings had a vulnerability reporting process in place.
While FireEye has also thanked Hermansen for his work, the company has pointed out that it does have a process and even a portal for researchers to report vulnerabilities.
“We appreciate the efforts of security researchers like Kristian Hermansen to find potential security issues and help us improve our products, but always encourage responsible disclosure,” the company said in a statement.
“FireEye has a documented policy for researchers to responsibly disclose and inform us of potential security issues. We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.”
Cluley said it was regrettable Hermansen published proof-of-concept code showing how the vulnerability could be triggered.
However, security researchers often say they have chosen to go public with their findings because of the slow response of suppliers.
According to Rapid7’s Mark Stanislav, while some of the suppliers contacted about his research findings were positive, only one had a very positive response. Several suppliers made no response at all, despite being given 60 days’ notice before he went public.
Read more about vulnerability disclosure
- Rapid7 is working to promote better relations between the security community and the rapidly increasing number of de facto technology companies.
- Qualys CTO Wolfgang Kandek discusses the hot topic of responsible vulnerability disclosure policies and the friction between Google and Microsoft, at RSA Conference 2015.