igor - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Google Project Zero reports more Kaspersky software vulnerabilities

Kaspersky Lab has fixed some of the vulnerabilities in its antivirus products, but a new report from Google Project Zero reveals there's more work to be done.

Kaspersky Lab has fixed some of the serious antivirus vulnerabilities reported earlier this month, but it still has more work to do, as Google Project Zero has reported new Kaspersky software vulnerabilities.

This week, Google Project Zero researcher Tavis Ormandy reported how he discovered some of the Kaspersky zero-day vulnerabilities, as well as how the vulnerabilities can be exploited.

In a statement provided to media outlets, Kaspersky Lab stated that the vulnerabilities publicly disclosed by Ormandy, "have already been fixed in all affected Kaspersky Lab products and solutions," noting further that Kaspersky specialists "have no evidence that these vulnerabilities have been exploited in the wild."

However, it appears there will be more to come. On Tuesday, Ormandy tweeted "For those asking, I haven't finished auditing Kaspersky; still filing new bugs."

Ormandy wrote that "dozens of reports" were sent to Kaspersky Lab to investigate, "any of which could result in a complete compromise of any Kaspersky Antivirus user."

Antivirus zero-day vulnerabilities can be particularly dangerous. "Because antivirus products typically intercept file system and network traffic, simply visiting a website or receiving an email is sufficient for exploitation," Ormandy noted in his blog post. "It is not necessary to open or read the email, as the file system I/O from receiving the email is sufficient to trigger the exploitable condition."

Kaspersky Lab praised Ormandy for his work in its statement. "We would like to thank Mr. Tavis Ormandy for reporting these vulnerabilities to us in a responsible manner. We greatly appreciate his effort and his findings, which were backed by the computing power of Google Project Zero." Kaspersky said it is still working on fixing the vulnerabilities that have not yet been disclosed.

Ormandy, in turn, praised Kaspersky Lab for their prompt response in moving quickly to fix vulnerabilities. He said in the blog post that he was "happy to report that Kaspersky are rolling out some improved mitigations to resolve" some of the most critical vulnerabilities he submitted, noting that some "were simply too easy to exploit."

The vulnerabilities were discovered through the technique of fuzz testing, or fuzzing, which involves bombarding a system with random data and analyzing what data will cause the system to crash.

In addition to the Kaspersky zero-day vulnerabilities, Ormandy has previously discovered flaws in other antivirus products, including in Sophos LLC's antivirus engine in 2011.

Next Steps

Find out more about how antivirus software detects malware

Learn more about how attackers manage to bypass antivirus software

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Join the conversation

2 comments

Send me notifications when other members comment.

Please create a username to comment.

Given the latest spate of zero-day antivirus software vulnerabilities, how will your antivirus strategy evolve?
Cancel
The biggest security hole in Kaspersky is not even being mentioned. Eugene Kaspersky is FSB-trained and FSB-loyal. Kaspersky has stated a number of time that his first duty is to Putin and his country. His hand is behind many of the online scams that originate in Russia.

Why would anyone in their right mind install Kaspersky software on their computer of network.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close