Zero-day bugs in Kaspersky and FireEye products found, exploits disclosed
A slew of vulnerabilities – some already patched and some still not – have been revealed to affect several security offerings by some of the most trusted names in the security market.
Google security researcher Tavis Ormandy announced on Friday that he has devised a “remote, zero interaction SYSTEM exploit, in default config” for a vulnerability he found in Kaspersky’s latest AV software versions.
He obviously shared his findings with the company, which pushed out a fix less than 24 hours later, distributing it to users via automatic updates.
Ormandy also noted yesterday that he sent Kaspersky some more vulnerabilities to investigate.
Also on Friday, researcher David Coomber revealed the existence of a cleartext credentials vulnerability affecting version 1.5.7 and below of the Avira Mobile Security iOS app and a MITM SSL certificate vulnerability endangering users of Webroot’s SecureAnywhere Business – Mobile Protection app.
Both holes have been plugged by the companies in newly released versions of the apps.
Finally, infosec consultant Kristian Erik Hermansen publicly revealed exploit code for a 0-day unauthorized remote root file system access vulnerability affecting FireEye forensic analysis platform appliance.
He claims that the bug is just one of many 0-days affecting FireEye/Mandiant products, and that he has been “sitting on this for more than 18 months with no fix from those security ‘experts’ at FireEye”.
He intimates that he didn’t share the information with the company because they have “no external security researcher reporting process,” but FireEye stated that they have a documented policy for researchers to responsibly disclose and inform them of potential security issues.
According to ZDNet, the company has reached out to Hermansen to in an effort to find out more about the three additional vulnerabilities he discovered and offered for sale on Twitter: