What if, with a single email, an attacker could monitor all traffic on a supposedly protected network?
Researchers from Google’s Project Zero found, and silently reported, a bug in FireEye security software that allowed attackers to do just that. No, it’s a not a phishing scam. No one had to actually open the email. Just sending it was enough.
FireEye offers devices that scan all traffic flowing through a company’s network. If malware is detected in any transfer, the device intercepts the file and removes the malware.
Project Zero demonstrated they could use this constant screening process against the software, turning it from a security feature into a bug that monitors all Internet traffic inside the company. Google employee Tavis Ormandy outlined the process in a blog post.
“For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario,” wrote Ormandy, adding that such an exploit could let hackers passively monitor all traffic on a company’s network. He then outlined an exploit that does exactly that.
Read the entire post if you’re technically inclined — everything is laid out in detail. But don’t worry, FireEye has been notified of the problem, and given a chance to fix it before Google published the exploit for the entire world to read.
Google’s Project Zero team is charged with discovering, documenting, and silently reporting zero day exploits before malicious hackers do. The team researches not only potential security issues in Google services, but any software used by large groups of people.
When the team discovers a flaw in another company’s software, they report it silently so that patches can be developed and released. It’s only after everything is fixed that they make their discoveries public — or 90 days, whichever comes first. The team caused controversy in 2014, when Microsoft did not fix an exploit in Windows 8 within the 90-day Window.