Two major security vendors are working quickly to fix problems in their products after security researchers publicly disclosed vulnerabilities over the past few days.
Google researcher, Tavis Ormandy, tweeted right at the end of last week that he’d managed to exploit a Kaspersky Lab AV product.
According to reports, he claimed at the time the flaw was “a remote, zero interaction system exploit, in default config. So about as bad as it gets.”
It turns out that it was, more precisely, a buffer overflow vulnerability.
On Monday Ormandy tweeted that he’d sent the Russian security firm even more bugs to investigate, “many obviously exploitable.”
Security consultant Graham Cluley questioned the timing of the initial disclosure, given that it came at the start of a long weekend in the US, although Ormandy did cc Kaspersky Threatpost hack Ryan Naraine on the initial tweet.
In response, Kaspersky Lab fixed the problem within 24 hours, sending the following statement to Infosecurity:
“A fix has already been distributed via automatic updates to all our clients and customers. We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable.”
Meanwhile, LA-based researcher Kristian Erik Hermansen publicly disclosed a FireEye zero-day vulnerability last week, claiming that he had been “sitting on this for 18 months with no fix from those security ‘experts’.”
A Pastebin post had the following:
“FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that's excellent security from a _security_ vendor :) Why would you trust these people to have this device on your network?!?!?”
Hermansen claimed to have discovered several more vulnerabilities in FireEye products and even took to Twitter to offer them for sale.
However, the researcher’s standing was diminished somewhat by his claiming that the US security giant doesn’t have a means to report bugs.
In a statement sent to Infosecurity, FireEye was quick to point out it does in fact have “a documented policy for researchers to responsibly disclose and inform us of potential security issues.”
It added:
“We appreciate the efforts of security researchers like Kristian Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure … We have reached out to the researchers regarding these potential security issues in order to quickly determine, and potentially remediate, any impacts to the security of our platform and our customers.”