Kaspersky fixes three DoS flaws, one information leak bug. Russian security vendor Kaspersky Lab has recently patched four vulnerabilities in its flagship product, the Kaspersky Internet Security Suite, which allowed attackers to crash the antivirus and disclose information from the computer’s memory.
The Cisco Talos team has identified these four issues (CVE-2016-4304, CVE-2016-4305, CVE-2016-4306, and CVE-2016-4307) affecting the product’s KLIF, KLDISK and KL1 drivers, used to interact with underlying Windows APIs.
One bug is an information disclosure vulnerability, and the other three are DoS (Denial of Service) issues that crash the application.
DoS bugs are considered annoying at best and are low-priority security issues in most software applications, but this doesn’t apply to antivirus engines (or “security systems,” since nobody calls them antiviruses anymore).
“Although these vulnerabilities are not particularly severe, administrators should be aware that security systems can be used by threat actors as part of an attack, and keep such systems fully patched,” the Cisco Talos team notes in their advisory.
DoS bugs can have serious consequences in AV products
An attacker who can run code on a machine with the Kaspersky antivirus installed could feed the antivirus malicious code that could crash the security product, which would allow them to run further malicious code without the antivirus blocking their actions.
The information leak bug could also be used to leak data from the memory and gain details about where certain processes are executing, data needed to plan further attacks and craft targeted exploits.
Kaspersky has addressed all issues with updates to its Internet Security Suite. Earlier this month, at the Black Hat USA 2016 security conference in Las Vegas, Kaspersky announced it was starting a bug bounty program that would reward security researchers for finding and privately disclosing security bugs in its software.
Kaspersky’s decision was overshadowed by Apple’s similar announcement, the Cupertino tech giant announcing a bug bounty program of its own.