Having already detailed a handful of problems on the firm’s anti-virus earlier this month, Ormandy has disclosed another issue that would allow hackers to exploit Kaspersky’s Antivirus and potentially other companies using the same engine powering the Russian malware detection technology. That includes Check Point’s ZoneAlarm.
Ormandy’s latest exploits of Kaspersky, as described in a Google Project Zero blog post, were executable by just sending an email to a target or having them visit a website, just as researchers were recently able to do the same with holes in FireEye technology, touted as being more advanced than everyday anti-virus.
The first vulnerability lay in the way Kaspersky handled 'Thinstall' or 'ThinApp' containers - virtual wrappers around applications. Ormandy found the vendor hadn’t turned on a security mechanism designed to prevent certain buffer overflows - where malicious code reaches out of a targeted application to attack the wider operating system.
Kaspersky had switched on a technology to randomise the location of scripts in memory so the malicious ones couldn’t be easily located by the attacker. That should have made attacks far more difficult, but Ormandy found the technology had not been implemented correctly, making the memory allocation not random at all.
To finally exploit the flaw and load a calculator - the standard proof of exploit in hacker circles - Ormandy put his attack code in a ZIP file. That was then attached to a Windows Dynamic Load Library (DLL) file, which are typically designed to allow programs to share resources to perform tasks.
Ormandy said his exploits worked on version 15 and 16 of Kaspersky Antivirus on Windows 7. A Kaspersky spokesperson said the vulnerabilities publicly disclosed by Ormandy, including those from earlier in the month, were fixed in all affected Kaspersky Lab products. "Our specialists have no evidence that these vulnerabilities have been exploited in the wild," the added. The simple buffer overflow that Kaspersky had neglected to turn on was activated on 15 September.
But the Google Zero researcher noted he was sitting on a number of other Kaspersky vulnerabilities. “Many of the reports I’ve filed are still unfixed, but Kaspersky has made enough progress that I can talk about some of the issues. One notable observation from this work was that some of the most critical vulnerabilities I’ve been submitting were simply too easy to exploit, and I’m happy to report that Kaspersky are rolling out some improved mitigations to resolve that,” he added, praising the firm for its quick response. Ormandy has promised to research other vendors soon.
From FireEye to Kaspersky, researchers are continuing to highlight an awkward truth for security companies trying to detect malware: due to the privileges they have on individuals’ computers and business networks, they are themselves a very good target for hackers. And as has been proven, they are often vulnerable.
Pointing to spy and police contractor Hacking Team's list of anti-virus vulnerabilities, Ormandy noted: "The vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.
"Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks."
The smartest hackers in the world are keen to expose anti-virus too. The NSA was said to have targeted a wide range of vendors, whilst a recent breach of Kaspersky was linked to Israel.
Fed up with its insecurities, its heavy computation requirements and its inability to catch more sophisticated malware, some have decided to ditch anti-virus altogether, the most notable being Netflix.
