Last week, security firm DirectDefense came under fire for over-hyping claims that Cb Response, a cybersecurity product sold by competitor Carbon Black, was leaking proprietary from customers who use it. Carbon Black responded that the bug identified by its competitor was a feature, and that customers were amply cautioned in advance about the potential privacy risks of using the feature. Now Carbon Black is warning that an internal review has revealed a wholly separate bug in Cb Response that could in fact result in some customers unintentionally sharing sensitive files.
As noted in last week’s story, DirectDefense warned about a problem with Cb Response’s use of Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There is also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.
Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. DirectDefense labeled the bug “the world’s largest pay-for-play data exfiltration botnet.”
Numerous industry analysts leapt to Carbon Black’s defense — with some even calling “bullshit” on the findings — pointing out that plenty of other vendors submit files through Virustotal and that DirectDefense was merely trying to besmirch a competitor’s product.
But earlier this week, Carbon Black began quietly notifying customers that an internal review of the claims revealed a completely different bug that could result in some benign customer files being miscategorized as executable files and inadvertently uploaded to Virustotal for scanning.
“On Thursday, we discovered a bug affecting a small percentage of our Cb Response customers,” said Mike Viscuso, co-founder and chief technology officer at Carbon Black. “Our review is still ongoing, but based on what we learned to date it requires a very specific customer configuration, and we have already taken steps to remediate the bug and protect our customers.”
Viscuso said this bug appears to affect a small number of Cb Response customers who have enabled VirusTotal submissions and use the program on a Mac OS in the presence of specific third-party applications. For example, he said, when a Mac user opens Spotify, the popular music service will read a configuration file in a way that causes Cb Response to classify regular content files (e.g., Microsoft Word, PDF, .TXT) as an unknown binary file. A binary file is computer-readable but not human readable; for example, executable programs (e.g., .exe files on Windows) are stored as binary files.
According to Viscuso, the bug was introduced in the Mac version of Cb Response roughly three months ago. He said part of the problem seems to stem from the file classification tool that ships with the Cb Response — explaining that the tool sometimes misclassifies corrupted binary files. One of the most common sources of corrupted binary files are antivirus products, which often modify suspected malicious binaries after placing the files in quarantine to ensure the programs can’t be accidentally run.
The Carbon Black discovery comes as more software-as-a-service providers are seeking ways to alert customers who may be inadvertently sharing sensitive data. Amazon recently launched Amazon Macie, a new security service that uses machine learning to discover and classify sensitive data such as personal information in AWS, alerting customers when such data is moved, accessed or otherwise publicly available.
Viscuso said the company was considering whether it, too, could offer any additional service that might help customers prevent the accidental sharing of content files to third-party services like VirusTotal. In the meantime, he said, Carbon Black is providing a full list of uploaded files to affected customers, asking them to report whether the files were binaries or content files.