Mr. Kristian Erik Hermansen, a security researcher based in Los Angeles, USA, found a zero-day bug in antivirus FireEye, along with three other vulnerabilities, which according to its Twitter account, are now for sale.
Despite the fact that a security researcher putting the vulnerabilities up for sale is flirting with crime, this may be Mr. Hermansen's only way to draw the company's attention to these errorthe, which, according to the exchange of electronic messages with Jumping, have been ignored by FireEye the last 18 months !!.
According to her announcement Exploit Database, the zero-day vulnerability provides "unauthorized access to the remote root filesystem" in affected FireEye applications.
The flaw is in a PHP script that runs on a web page that views it Apache server. The zero-day vulnerability, which can be triggered remotely, when usesfiles, and provide attackers with access to local files.
The other vulnerabilities are basically injection commands and connection bypass errors. No additional details have been posted about them, but the Mr. Hermansen said that it will sell the vulnerability to the highest bidder.
The FireEye company, in general, is looked upon with distrust and perhaps with hatred by most of the researchers security, since last year sacked a security specialist to notify the public to vulnerabilities in the FireEye Malware Analysis System (MAS).