igor - Fotolia
Kaspersky Lab has fixed some of the serious antivirus vulnerabilities reported earlier this month, but it still has more work to do, as Google Project Zero has reported new Kaspersky software vulnerabilities.
In a statement provided to media outlets, Kaspersky Lab stated that the vulnerabilities publicly disclosed by Ormandy, "have already been fixed in all affected Kaspersky Lab products and solutions," noting further that Kaspersky specialists "have no evidence that these vulnerabilities have been exploited in the wild."
However, it appears there will be more to come. On Tuesday, Ormandy tweeted "For those asking, I haven't finished auditing Kaspersky; still filing new bugs."
Ormandy wrote that "dozens of reports" were sent to Kaspersky Lab to investigate, "any of which could result in a complete compromise of any Kaspersky Antivirus user."
Antivirus zero-day vulnerabilities can be particularly dangerous. "Because antivirus products typically intercept file system and network traffic, simply visiting a website or receiving an email is sufficient for exploitation," Ormandy noted in his blog post. "It is not necessary to open or read the email, as the file system I/O from receiving the email is sufficient to trigger the exploitable condition."
Kaspersky Lab praised Ormandy for his work in its statement. "We would like to thank Mr. Tavis Ormandy for reporting these vulnerabilities to us in a responsible manner. We greatly appreciate his effort and his findings, which were backed by the computing power of Google Project Zero." Kaspersky said it is still working on fixing the vulnerabilities that have not yet been disclosed.
Ormandy, in turn, praised Kaspersky Lab for their prompt response in moving quickly to fix vulnerabilities. He said in the blog post that he was "happy to report that Kaspersky are rolling out some improved mitigations to resolve" some of the most critical vulnerabilities he submitted, noting that some "were simply too easy to exploit."
In addition to the Kaspersky zero-day vulnerabilities, Ormandy has previously discovered flaws in other antivirus products, including in Sophos LLC's antivirus engine in 2011.
Find out more about how antivirus software detects malware
Learn more about how attackers manage to bypass antivirus software