Mr. Kristian Erik Hermansen, a security researcher based in Los Angeles of USA, found a zero-day bug in FireEye antivirus, along with three other vulnerabilities, which according to his Twitter account, are now for sale.
Despite the fact that a security researcher putting vulnerabilities up for sale is flirting with criminality, this may be Mr. Hermansen's only way to attract caution of the company in these errors, which, according to the exchange of electronic messages with Jumping, have been ignored by FireEye the last 18 months !!.
According to her announcement Exploit Database, the zero-day vulnerability provides "unauthorized access to the remote root file system" to affected applications FireEye.
The flaw is in a PHP script that runs on a web page facing Apache server. The zero-day vulnerability, which can be triggered remotely, when exploited, can give attackers access to local files.
The other vulnerabilities are basically injection commands and connection bypass errors. No additional details have been posted about them, but the Mr. Hermansen said that it will sell the vulnerability to the highest bidder.
FireEye, in general, is most misty and perhaps hatered by most security researchers, since last year sacked a security specialist to notify the public to vulnerabilities in the FireEye Malware Analysis System (MAS).