The Google security engineer who uncovered 'major flaws' in Kaspersky's antivirus product has claimed some issues are still unfixed – almost three weeks after his original report.
Travis Ormandy alerted Kaspersky to the problems on Sep 5, warning on Twitter of a number of security vulnerabilities in the company’s antivirus and internet security products that were ‘about as bad as it gets’.
@ryanaraine It's a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets.
— Tavis Ormandy (@taviso) September 5, 2015
Kaspersky rushed out an emergency security patch for its antivirus product within 24 hours, claiming that the flaws had consequently been fixed.
‘A fix has already been distributed via automatic updates to all our clients and customers,’ the company said. ‘We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future.’
However, following further analysis, Ormandy revealed yesterday that while Kaspersky has made progress, many of the flaws he filed are still unpatched.
Some of the most critical vulnerabilities he submitted were 'simply too easy to exploit', but Kaspersky is improving mitigations to resolve them.
‘Some of the bugs Kaspersky has already resolved include vulnerabilities parsing everything from Android DEX files and Microsoft CHM documents to unpacking UPX and Yoda’s Protector,’ said Ormandy.
But he added that he had sent dozens of deports to Kaspersky to investigate, ‘any of which could result in a complete compromise of any Kaspersky Antivirus user’.
According to the engineer, these flaws could affect network intrusion detection, ssl interception, file scanning, browser integration and local privilege escalation.
@kurtseifried Yep, they have billions of users though, so someone's gotta do it. Pretty clear they're not going to do it themselves.
— Tavis Ormandy (@taviso) September 22, 2015
Ormandy has illustrated on Google's 'Project Zero' blog exactly how he exposed one exploit, which he said could be triggered by simply visiting a website or receiving an email. 'It is not necessary to open or read the email,’ he said, ‘as the filesystem I/O from receiving the email is sufficient to trigger the exploitable condition.’
Other ‘major design flaws’ in components of Kaspersky’s antivirus and internet security products have still not been fixed, Ormandy said, including one that could allow him to carry out a remote network attack.
‘We have strong evidence that an active black market trade in antivirus exploits exists,’ he said. ‘Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks.
‘For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.’
Ormandy did, however, congratulate Kaspersky on the speed at which it had responded to his security alert, and said more issues should be fixed over the next few weeks.