​Kaspersky patched one bug, but more to come says Google’s antivirus hacker

Russian antivirus firm Kaspersky may need to follow up is most recent patch with more fixes if a Google security researcher is right.

Kaspersky, which has been recently deflecting claims it doctored files to throw off its antivirus rivals, rushed out a patch over the weekend to address a bug in its own product that was reported by Google security engineer, Tavis Ormandy.

Ormandy on Saturday revealed he had reported a bug to Kaspersky, which could be exploited remotely and without user interaction, meaning a computer running vulnerable Kaspersky antivirus products could be commandeered by an attacker simply by visiting a rigged website.

Kaspersky on Monday said it had pushed out a patch over the weekend, within a day of receiving Ormandy’s report. Users would receive the update automatically.

Given the automatic update many Kaspersky users wouldn't have noticed the fix but they may be receiving further security updates this week to fix more flaws that Ormandy reported on Monday.

“Alright, sent Kaspersky some more vulnerabilities to investigate, many obviously exploitable. I'll triage the remaining bugs tomorrow,” said Ormandy.

It’s not clear from the statement how serious the bugs are, nor how they can be exploited.

CSO Australia has asked Kaspersky whether it’s received the latest report from Ormandy and whether it can confirm the bugs do exist.

Ormandy, a member of Google’s elite hacker group Project Zero, has previously called out Kaspersky’s rivals Sophos and ESET for security flaws. The security engineer has also had run-ins with researchers at antivirus vendors over his disclosure practices.

Graham Cluley, formerly of Sophos, in 2010 criticised Ormandy for publishing exploit code based on flaws he’d found in a Windows component and had only given Microsoft five days to fix the problem before revealing them. Cluley noted at the time that hackers were quick to exploit the information Ormandy divulged. Two years later Ormandy later revealed flaws in Sophos' products, though was more generous with his disclosure deadline than he was with Microsoft.

Cluley suggested in a blog post on the weekend, that Ormandy, in selecting the day before a public holiday in the US, may have an agenda to make life difficult for antivirus vendors.

“One has to question the timing of Ormandy's announcement just before a long holiday weekend in the United States, which clearly makes it difficult as possible for a corporation to put together a response for concerned users.”

Read more: Trusting, lazy humans a common theme in recent security vulnerabilities

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerabilities​KasperskyTavis Ormandyblog postbug patchantivirus hackeresetCSO AustraliaProject ZerosophosGoogle

More about CSOGoogleKasperskyMicrosoftSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place