Photographer: Alexander Zemlianichenko Jr./Bloomberg
We’ve written before about how antivirus software is not only resource-intensive but in some cases can make you less secure because it can be hacked itself. Now there’s new evidence that Kaspersky Lab’s antivirus software contains bugs which could be remotely exploited in targeted attacks, as Thomas Fox-Brewster reported yesterday. Some of these bugs are detailed in a blog post written by information security engineer Tavis Ormandy, a member of Google’s Project Zero vulnerability research team.
Although Kaspersky Lab told Ars in a statement that all of the vulnerabilities that were publicly disclosed in Ormandy’s blog post were fixed, some bugs have not been disclosed since the fixes are not yet available.
In addition, Ormandy tweeted that he hasn’t finished auditing Kaspersky yet and is still filing new bugs. “I’ll make another blog post on more remote code execution vulns in Kaspersky as the fixes are released,” he tweeted on September 22nd. “The patches for the remote network attacks I had planned to discuss here were delayed, and so I’ll talk about them in a second post on this topic once the fixes are live,” he further wrote in his original blog post.
— Joxean Koret (@matalaz) September 22, 2015
One vulnerability Ormandy found could have been prevented if Kaspersky had enabled /GS, a best practice that prevents some buffer overflows, which are a frequent attack vector. Interestingly, /GS has actually been enabled by default for many years, so it’s unclear why Kaspersky would not have it enabled. An informational page by Microsoft recommends disabling it “if you expect your application to have no security exposure,” which doesn’t seem to fit the bill for anti-virus software.
“In [the] future, we would like to see antivirus unpackers, emulators and parsers sandboxed, not run with SYSTEM privileges,” Ormandy wrote. Because Kaspersky did not run their unpacker in a sandbox, vulnerabilities in their unpackers led to full compromise.
Kaspersky Lab is hardly alone. Critical vulnerabilities have previously been found in Sophos Antivirus, Microsoft anti-malware products, FireEye technology, ESET security products, and other anti-virus engines.
As of press time, Kaspersky Lab did not respond to request for comment.
This article was written by Yael Grauer from Forbes and was legally licensed through the NewsCred publisher network.