FireEye Patches Critical Flaw Found by Google Researchers

FireEye has rushed to patch a serious vulnerability identified in its products by researchers at Google’s Project Zero.

Project Zero researchers Tavis Ormandy and Natalie Silvanovich announced on Friday evening that they had developed a reliable exploit for a remote code execution (RCE) vulnerability affecting FireEye’s Malware Protection System (MPS). The experts haven’t provided any technical details, but Ormandy noted on Twitter that the bug likely affected “every version ever shipped.”

Took all day, but @natashenka and I just got a 100% reliable FireEye remote code execution working. I’ll send the vulnerability report now.

— Tavis Ormandy (@taviso) December 5, 2015

FireEye told SecurityWeek that the RCE vulnerability affected the company’s Network Security (NX), Email Security (EX), Malware Analysis (AX), and File Content Security (FX) products.

“FireEye had been engaged with and was supporting the Google Project Zero team prior to this discovery around the testing of our products. Due to the severity of the vulnerability discovered, we released an automated remediation to customers just 6 hours after notification, mitigating any customer exposure by Saturday morning,” FireEye spokesman Kyrksen Storer said in an emailed statement.

“We are thankful for the opportunity to support the Google team in this process, will continue to support their efforts, and fully support the broader security research community’s efforts to test and improve our products,” Storer added.

This was not the first time researchers reported finding vulnerabilities in FireEye products. In September, FireEye patched several vulnerabilities discovered by Kristian Erik Hermansen and Ron Perris. Hermansen disclosed the details of a flaw before the security firm could release a fix, claiming that he had reported the issue 18 months prior to its public disclosure.

In September, FireEye also resolved five vulnerabilities reported by German security firm ERNW. The issues – which included command injection, code execution, privilege escalation and memory corruption vulnerabilities – affected NX, EX, AX, FX, HX (Endpoint Security) and CM (Central Management) products.

FireEye’s support site currently lists nearly a dozen advisories describing vulnerabilities affecting the company’s products. The list does not include an advisory for the latest flaw reported by Ormandy.

FireEye is not the only security company whose products have been analyzed by the Google researcher. In September, Ormandy reported serious vulnerabilities in products from Kaspersky Lab.