Kaspersky and FireEye hit by zero-day security flaw claims

Key points

A zero-day security flaw in Kaspersky anti-virus software could enable an attacker to circumvent Kaspersky's security and compromise users' systems.

Flaws publicised over the weekend - Kaspersky claims fix is imminent

A zero-day security flaw in Kaspersky anti-virus software could enable an attacker to circumvent Kaspersky's security and compromise users' systems.

In a tweet, Tavis Ormandy, a security researcher working for Google with a track record for disclosing security vulnerabilities, described it as "a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets".

Ormandy has previously demonstrated exploits against Sophos and ESET anti-virus packages, and come under fire in the past for disclosing first, rather than working with vendors to produce a fix and a coordinated disclosure.

His latest security disclosure was made over a bank holiday weekend, which includes the Labor Day bank holiday in the US today. Kaspersky, however, has claimed that it is rushing out a fix in response.

Ormandy's disclosures were made at the same time that another security researcher, Kristian Erik Hermansen, disclosed details of zero-day vulnerabilities in FireEye's security appliance, including proof-of-concept code. Hermansen's information is reportedly for sale. Furthermore, he claims that he has known about the flaw for 18 months.

"FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that's excellent security from a_security_vendor :) Why would you trust these people to have this device on your network," he wrote on disclosure of the flaws.

He continued: "Just one of many handfuls of FireEye/Mandiant zero-day. Been sitting on this for more than 18 months with no fix from those security 'experts' at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process."

In an email exchange with CSO Online, Hermansen claimed that he and another researcher, Rob Perris, had discovered a total of 30 vulnerabilities in FireEye's products, including multiple root issues.

"I tried for 18 months to work with FireEye through responsible channels and they balked every time. These issues need to be released because the platforms are wrought with vulnerabilities and the community needs to know, especially since these are Gov-approved Safe Harbor devices with glaring remote root vulnerabilities," Hermansen told CSO Online.