"The vulnerabilities presented here could allow an attacker to compromise virtual machine-based malware detection systems such as a FireEye device by triggering the analysis of a crafted exploit," reads an advisory released by ERNW about the vulnerabilities on Thursday. "Such an analysis can be triggered by sending an email to an arbitrary corporate address or by embedding the exploit code in a document (to-be) downloaded via HTTP."ERNW founder Enno Rey goes on to explain in a blog post that ERNW subsequently established communication channels with FIreEye and submitted a draft of the document that it wished to publish on the vulnerabilities to the firm following a 90-day disclosure period. FireEye was of the opinion that the initial document revealed too many technical details about the inner workings, including the source code, of its MPS product. ERNW disagreed, but as explained by Ray, the company did make some changes and redacted several passages of the document.
"We tried to conceal from the researchers to publish our IP. No company in the world would want their IP revealed. We did that to protect our customers. We openly worked with them to fix the vulnerabilities, and patches have been available for months now. Our Customers are protected. This was not about stopping them from issuing a report neither the vulnerabilities, it was about protecting intellectual property that they didn’t have a legal right to publish."Rey has responded that ERNW never had the intention of threatening FireEye's IP and that he felt the company was unfairly targeting the security research community. News of this spat follows a disagreement with another researcher who demanded that he be paid for four zero-day vulnerabilities he found in FireEye's products earlier this week.