A researcher has revealed a Zero-Day Vulnerability in FireEye and says there are three other vulnerabilities and all of them are for sale. Ken Westin, Security Analyst for Tripwire commented on the zero-day vulnerability in FireEye’s core product, which if exploited, results in unauthorized file disclosure.
[su_note note_color=”#ffffcc” text_color=”#00000″]Ken Westin, Security Analyst for Tripwire :
“Security researchers are increasingly targeting security software vulnerabilities for a number of reasons. Some security researchers are looking for vulnerabilities in open source and commonly used libraries and tools to help make them more secure. Other security researchers are more profit driven, looking for bug bounties from software vendors, or some other form of payout from software vendors when they identify vulnerabilities. This can put software vendors in a precarious situation, as they may wish to ensure their software is secure, however do not want to be held at ransom, or have vulnerabilities in their products sold to zero day brokers. Many software vendors provide a process for security researchers to reach out through the responsible disclosure process and as an incentive they provide bounties and other benefits. However, it can be a challenge to identify which vulnerabilities are serious and pose actual threats to their customers. It also takes time and resources to investigate vulnerability claims.”[/su_note][su_box title=”About Tripwire” style=”noise” box_color=”#336588″]Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.