While it may be Labor Day holiday in the United States, two popular anti-virus software companies are doing anything but resting. Over the weekend, researchers revealed zero-day vulnerabilities in the software of both Kaspersky and Fire-Eye – two leading security research and anti-virus software companies.
The zero-day vulnerabilities were reported by two different security researchers, but have been packaged into exploits that are “as bad as it gets.”
The first disclosed bugs were found in Kaspersky’s software by Google security researcher, Travis Ormandy. Ormandy, who is notorious for publishing (publicly disclosing) vulnerabilities he’s discovered, prior to informing vendors of the software flaws, tweeted his findings Friday evening.
“It’s a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets,” the tweet read.
Despite the announcement coming on a holiday weekend, Kaspersky Labs is reportedly rushing a fix for the issue.
Seemingly riding on the wave of embarrassing Kaspersky is likely experiencing, another security researcher, Kristian Erik Hermansen, decided to drop his own zero-day findings – this time in the anti-virus software of the renowned FireEye security company. Hermansen discovered several zero day vulnerabilities in FireEye's security appliance, which he publicly disclosed, including proof-of-concept exploit code.
According to Hermansen, he’s been holding on to these particular vulnerabilities for 18 months and now, his findings are reportedly up for sale.
"FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that's excellent security from a_security_vendor,” Herseman wrote Why would you trust these people to have this device on your network," Hermansen wrote in a pastebin post about the flaws. According to Hermansen, the company’s disclosure framework is lacking, prompting him to the public disclosure before reporting.
RELATED: Google Urges Friendly Hackers To Set Deadlines For Fixes, But How Feasible Is It?
"Just one of many handfuls of FireEye/Mandiant zero-day. Been sitting on this for more than 18 months with no fix from those security 'experts' at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process."
Hermansen claims he’s not the only security researcher who has qualms with FireEye’s vulnerability disclosure framework. Hermansen told CSO Online , that another researcher had some 30 vulnerabilities in FireEye's products he had discovered, including multiple root issues.
“I tried for 18 months to work with FireEye through responsible channels and they balked every time. These issues need to be released because the platforms are wrought with vulnerabilities and the community needs to know, especially since these are Gov-approved Safe Harbor devices with glaring remote root vulnerabilities,” Hermansen said.
RELATED: Seagate NAS 'Zero Day' Leaves Thousands Vulnerable: One Hacker's Painful Story Of Failed Disclosure Proceedings
The reports while disappointing aren’t surprising. We hear almost daily reports in the news of reputable software companies with disdainful disclosure structures. While the practice of public disclosure without first attempting to work with the company is certainly not the optimal path for invoking change, for some independent security researchers, it is the only way for their voice to be heard and for users to get the protection they deserve.