Zero-day vulnerabilities found in Kaspersky and FireEye anti-virus

Tavis Ormandy, of Google, discovered a vulnerability that he described as “a remote, zero interaction SYSTEM exploit in default config”. In August, Kaspersky Lab denied claims from two former employees that it seeded fake malware signatures to competitors’ anti-virus products so they would label benign files as malicious.

A zero-day security flaw in Kaspersky anti-virus software could enable an attacker to circumvent Kaspersky’s security and compromise users’ systems.

Security expert Graham Cluley, who wrote about the vulnerability in his latest blogpost, questioned the timing of the disclosure.

Kaspersky Lab is not the first security software firm to receive attention from Ormandy.

Ormandy has previously published details of how he has exploited anti-virus products from Sophos and ESET.

According to a posting on the Exploit Database, the zero-day vulnerability provides “unauthorized remote root file system access” to affected FireEye applications.

Nonetheless, one remains concerned that in the past malicious hackers have taken details of flaws published by Google’s Tavis Ormandy, and used them in attacks.

Echoing Naraine’s comments, Kaspersky Lab thanked Ormandy for reporting what the company termed “a buffer overflow vulnerability”. “A fix has already been distributed via automatic updates to all our clients and customers”.

“For instance, we already use such technologies as Address Space Layout Randomisation (ASLR) and Data Execution Prevention (DEP)”, the company said.

“Kaspersky Lab has always supported the assessment of our solutions by independent researchers”.

Of potentially more concern are the FireEye vulnerabilities, which were revealed by Kristian Erik Hermansen on Twitter.

“His critics, of which I’m one, fear that he has sometimes put innocent users at risk by not working on a co-ordinated disclosure with the manufacturer of the vulnerable software, ensuring that all users are protected with a patch before details of how to exploit the flaw are made public”, Cluley said.

He continued: “Just one of many handfuls of FireEye/Mandiant zero-day”.

In the same email exchange with CSO, Hermansen also claims he’s “pretty sure Mandiant staff coded this and other bugs into the products”. Los Angeles-based researcher Hermansen claims he has discovered at least four flaws within FireEye’s core security product – revealing details of one and offering the other three for sale to the highest bidder. “Even more sad, FireEye has no external security researcher reporting process”. Such security holes are susceptible to being exploited by hackers as there is usually a window between the flaw being found (day zero) and the vendor issuing a fix.

Cluley said it was regrettable Hermansen published proof-of-concept code showing how the vulnerability could be triggered.