A war of words has broken out after researchers revealed zero-day vulnerabilities in FireEye and Kaspersky's security software during the US Labor Day holiday weekend - leaving the two firms scrambling to patch the problems.
In a tale of contrasting bug disclosures, British researcher Tavis Ormandy, now with the Google Project Zero bug hunting team in California, said on Saturday he had found a flaw in Kaspersky's anti-virus product that was “about as bad as it gets”.
Kaspersky quickly patched the “remote, zero interaction system exploit”, earning praise from Ormandy for rolling out a fix in less than 24 hours. But yesterday Ormandy dropped the bombshell that he had found more Kaspersky vulnerabilities, “many obviously exploitable”.
As yet Kaspersky has not responded.
Meantime, Los Angeles-based information security consultant Kristian Hermansen ignited a row when he published details on Sunday of a bug in FireEye's Mandiant security software that could give unauthorised users root access to the file system – which is as yet unpatched.
Hermansen, working with researcher Ron Perris, said it is one of “many handfuls” of FireEye/Mandiant zero-days. He criticised the vendor's reaction to his findings by claiming he had been “sitting on this for more than 18 months with no fix from those security ‘experts' at FireEye”.
Hermansen also suggested the vulnerabilities might be ‘backdoors' deliberately inserted by the vendor.
“Pretty sure Mandiant staff coded this and other bugs into the products,” he claimed.
On his Twitter account, Hermansen even offered for sale the three FireEye zero-days he had not made public, describing them as a login bypass, and an unauthorised user and authorised user command injection remote root zero-days.
We asked FireEye to comment on his specific claims but it had not responded by time of writing. However, the company issued a statement criticising his ‘irresponsible' bug disclosure while promising a quick fix for the flaws.
It said: “FireEye learned of four potential security issues in our products from Kristian Hermansen's public disclosure of them being available for purchase. We appreciate the efforts of security researchers like Hermansen and Ron Perris to find potential security issues and help us improve our products, but always encourage responsible disclosure.
But Hermansen remained apparently unrepentant in statements attributed to him by CSO Magazine.
"These issues need to be released because the platforms are wrought with vulnerabilities and the community needs to know, especially since these are Gov-approved Safe Harbor devices with glaring remote root vulnerabilities.
"No-one should be trusting these devices on their network if FireEye can't be bothered to fix the problems. As a security company, their standards should be higher."
Kaspersky issued a statement saying: "We would like to thank Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure. A fix has already been distributed via automatic updates to all our clients and customers.”