FireEye is fending off plenty of criticism this week. All of it is coming from a security community outwardly aghast at its approach to dealing with researchers hoping to expose flaws in the company’s malware-blocking tech.
In its latest move, the California-based firm chose to put out an injunction on German firm ERNW, whose employee Felix Wilhelm was planning on delving into FireEye security technology and a trio of now-fixed vulnerabilities during a talk at the 44Con event in London tonight.
All the flaws were significant. One of the more concerning bugs required just two emails – one containing a malware inside a ZIP file and another with a ZIP package to trigger the exploit in the first attachment – to be sent to a company using FireEye, which would open the files for analysis and in doing so open a backdoor on its appliance, Wilhelm noted during his talk.
Users would not be required to open the attachments or even the emails. Whilst he was able to offer some information on the flaws, Wilhelm wasn’t able to go as deep into the FireEye system architecture and source code as he would have liked.
Conference organisers were far from happy. Steve Lord, one of the two co-founders of 44Con, told FORBES FireEye’s actions were an affront to freedom of speech.
When you remove the right through legal action to say the word ‘FireEye’, you remove the right to say ‘fuck FireEye’,
Lord said. “That sets a really chilling precedent.
“You’re stifling not only free speech but the ability to warn and educate their customers plenty of whom are actually here. I find their reaction to the research bizarre, absurd and unprofessional… The only reasonable response would be to say ‘fuck FireEye’.”
