Endpoint security firm Bromium has released more details of the vulnerabilities found by noted white hat Tavis Ormandy in its Bring Your Own Malware challenge launched at Infosecurity Europe this year.
During the show, the firm offered a £10,000 bounty to anyone who could find flaws in its technology, claiming the competition highlighted the importance of holding security vendors to account and ditching “marketing BS in favor of defensible design and rigorous evaluation.”
Although the firm’s co-founder Simon Crosby claimed to have deflected 189 attacks, of which 10 were unknown to Virus Total, Google researcher Ormandy found two bugs which allowed him to “escape micro-VM isolation” – one of the key features of the product.
“Tavis found a bug in an early build of vSentry 3.1 with support for an old version of Chrome that was sent to a customer to evaluate a feature, and mistakenly uploaded. A skilled attacker armed with a chain of additional bugs could exploit our bug to achieve code execution in the host Chrome browser,” Crosby explained.
“Fortunately, in a typical Bromium production deployment the Bromium Enterprise Controller automatically updates Chrome protection via ‘App Packs’ soon after Google releases a new version. Recent Bromium Chrome App Packs, for example, fix the known bugs you’d need to be able to exploit our bug.”
Ormandy also found a similar vulnerability in the firm’s protection for Internet Explorer, with Crosby arguing again that a “typical Bromium configuration” would mitigate the bug.
The Googler donated his £10,000 reward to Amnesty International, with Crosby matching the sum with $15,000 of his own.
Bromium is currently in the process of setting up its own bug bounty program and claimed it won’t be handing out any more money in the meantime.
Crosby revealed the firm engages pen testers every year in a bid to improve its products.