The ongoing battle between researchers and vendors over the public disclosure of security vulnerabilities in vendor products took a bizarre turn last week in a new case involving two security firms, FireEye and ERNW. In a blog post published September 10, ERNW revealed that FireEye had obtained a court injunction to prevent its researchers from publicly disclosing certain information around three vulnerabilities they discovered in a security product made by FireEye.
Although FireEye agreed that ERNW could disclose the vulnerabilities themselves in a report they planned to publish and present at a conference, the firm took issue with the amount of information the researchers planned to reveal—information ERNW says was required to fully understand the context for the vulnerabilities, but that FireEye says was proprietary source code and would have exposed its product and customers to risk.
The FireEye case is unique because it’s a face off between two security firms, both of whom understand the importance that security research plays in securing computer users. FireEye says it saw legal action as the only way to protect its interests and its customers.
Enno Rey, founder of ERNW, wrote a lengthy blog post describing his disappointment in how FireEye strong-armed them with a legal threat. “I don’t think [legal action is] appropriate in this specific case, I don’t think it’s appropriate in the vast majority of other cases of responsible disclosure and I think it eventually sends the wrong signal to the research community,” he wrote. Others in the security community agree with him.
The battle, first reported by the German publication Süddeutschen Zeitung, marks a new twist in the decades-long saga over vulnerability disclosure.
There has long been tension between security researchers who uncover vulnerabilities in a software vendor’s product and the vendors who don’t want the researchers to publicly disclose these holes. In 2005, for example, technology giant Cisco hit researcher Mike Lynn with a court injunction and threat of lawsuit to prevent him from revealing information about a serious security flaw he discovered in its routers. Lynn also faced an FBI probe over his disclosure.
In 2008, Boston subway officials obtained an injunction against three MIT students to prevent them from presenting a talk about security vulnerabilities they found in payment systems used in the Massachusetts mass transit system.
But the FireEye case is unique in that it’s a face off between two security firms, both of whom understand the importance that security research plays in securing computer users. ERNW is a security consulting company based in Germany, and FireEye is a large security firm based in California that is often in the news over its investigation of security breaches. FireEye’s Mandiant forensic unit was hired by Sony last year to investigate its massive breach and has investigated most of the high-profile breaches of the last decade.
FireEye has also been on the discovery end of vulnerabilities in other vendors’ products. Last month, for example, researchers with FireEye Labs presented information about security flaws in the fingerprint scanners of Android phones.
A FireEye spokesman told Wired that his firm fully supported the ERNW researchers disclosing the vulnerabilities in his company’s product but tried to negotiate with them for more than a month about removing sensitive information they didn’t think was necessary for the disclosure. After failing to obtain assurances that the information would be removed, FireEye lost confidence in the negotiations.
He notes that FireEye works with a lot of researchers and vendors about security flaws, but those negotiations never involve the degree of information ERNW planned to disclose. In addition to information about the vulnerabilities, he says they also planned to disclose source code and information about the software architecture and design of FireEye’s security product.
“You’re giving attackers the upper hand, which is against responsible disclosure,” FireEye spokesman Vitor De Souza told Wired. “When we saw what they had in their [initial] report we were like holy shit. We had a lot of questions about how they obtained that… We deal with hundreds of researchers and we had never seen that before. What they included in their report crossed the line. No one was comfortable with that information being disclosed to the public.”
The company has posted a blog entry explaining its stance.
In the two accounts involving the incident, it’s not surprising that the two companies diverge in their interpretation of what occurred. Both agree, however, on some of the basic facts.
The issue between ERNW and FireEye began in April when the German firm contacted FireEye about five vulnerabilities its researcher Felix Wilhelm had found in FireEye’s Malware Protection System version 7.5.1. FireEye says it was already aware of two of the vulnerabilities, but was happy to receive information about the other three from Wilhelm.
One of the most serious would allow an attacker to take control of the MPS appliance simply by sending two emails to any employee at a targeted company—one containing a ZIP attachment with malware and a second containing another ZIP attachment designed to trigger the malware to launch and install a backdoor on the customer’s MPS system. The attack would work even if the recipient didn’t open the initial malicious attachment or even the email in which it was sent, according to a presentation Wilhelm prepared about the vulnerabilities. “Just transferring it is enough,” he wrote in his slides.
Over several weeks beginning in May, FireEye worked with ERNW to understand the vulnerabilities and devise fixes for the main vulnerabilities by the end of June. Some time in June, ERNW provided FireEye with a draft document of a report they planned to release about their findings, following a 90-day period to allow for the disclosure and fixing process to be completed.
FireEye objected to the extensive technical details that described the inner workings of the MPS. “No other software company would allow their source code and design trade secrets be revealed to the public,” De Souza told Wired. ERNW’s founder Enno Rey writes that he ‘never had the intention to violate’ FireEye’s desire to protect its intellectual property.
Rey, who did not respond to Wired’s request for comment, saw it otherwise. “We… were of the opinion,” he wrote in his blog post, “that some level of contextual detail would be necessary to understand the nature of the vulnerabilities which in turn would subsequently serve the objective of education that is inherent to any responsible disclosure process.” Nonetheless, Rey asserts that his researchers “removed stuff” from the document “at several occasions during this phase” and that they also complied when FireEye asked several times that they postpone publication of their report, in order to ensure that more customers were upgraded with the fixes.
De Souza maintains, however, that none of the objectionable information they had asked to be removed was deleted from subsequent versions of the report ERNW sent them. “We had multiple discussions with them throughout month of July, and in all the versions of the draft they sent they kept putting IP information in it,” he says.
So FireEye sought a face-to-face meeting to discuss the matter. All the parties met in person on August 5th at the BlackHat security conference in Las Vegas. At the end of that meeting, Rey says they had all come to an agreement about the document.
“We went through the document draft, section by section, and discussed wordings and (level of) technical details,” Rey notes in his blog post. “All three of us had the strong impression that a preliminary consensus was reached during that meeting, and a number of hands were shaken at parting. We think it was agreed upon that we would send the next, mostly final iteration in the following week.”
Rey notes that he fully understood FireEye’s desire to protect its intellectual property and “never had the intention to violate that.” He adds: “[W]e had abided by (both virtual and physical) handshake several times that nothing would be published without mutual agreement. We thought we were on the same track.”
De Souza, however, says that the FireEye team still did not feel re-assured that ERNW would remove the material. That concern was reinforced, he says, when FireEye discovered an abstract for a talk ERNW planned to give about the vulnerabilities in September at a conference in London. The abstract, which is no longer available online, said “they would reveal how the FireEye engine works,” says De Souza. FireEye had known that ERNW planned to present their findings at a later conference in Singapore in October, but the discovery that an earlier talk was also planned—that ERNW had not disclosed to them—and that it appeared the talk would contain proprietary information set FireEye over the edge.
After all of this, De Souza says, “Our confidence level that they were going to adhere [to our request to remove the information] was low. We’d been talking for nearly three months. After multiple conversations and multiple iterations [of their report], and they’re still not adhering to what we discussed.”
FireEye felt it was running out of time before the September conference, so it sent a cease-and-desist letter to ERNW within 24 hours after the Las Vegas meeting as well as a document ERNW was to sign to provide assurance that its researchers would not disclose proprietary information in their talk.
ERNW consulted with a lawyer and told FireEye they would respond to the letter by August 17. But FireEye wasn’t prepared to wait. On August 13th, the company went to court to obtain an injunction to prevent ERNW from disclosing proprietary information about the company’s product, while still allowing the researchers to publicly discuss the vulnerabilities themselves. ERNW received that injunction on September 2.
Rey insists that in the meantime ERNW had already sent a new draft of their report to FireEye on August 11 with all of the objectionable material removed. De Souza says, however, that the company never received it. He says it wasn’t until September 2, the day that ERNW received the court injunction, that ERNW finally sent a new draft of the report with the objectionable material removed.
Eventually, the company released an announcement on September 8 noting the vulnerabilities, and giving ERNW credit for discovering them. This week Wilhelm gave his presentation at the London conference, while noting that he was prevented from disclosing some of the information he had planned to discuss, due to the injunction from FireEye.
Many people in the security community feel burned over the incident. And De Souza says he understands the displeasure with his company. “The court order, I understand that may have rubbed them in the wrong direction, as it would to anyone who received a legal letter,” he says. In the end, though, FireEye was trying to protect its intellectual property the way any other company would.
He adds that it’s important to remember that FireEye never sought to prevent ERNW from disclosing the vulnerabilities themselves.
For his part, Rey wrote that he would “be really happy if our case contributes to evolving the understanding, procedures and maturity of vulnerability disclosure in certain circles. If nothing else it would then have been worth the effort and energy spent so far on all this.”
Also in Wired: