Google researcher reveals more Kaspersky bugs, calls out the irony of antivirus

Ormandy has released details of a remote code exploit bug in Kaspersky Antivirus

New research illustrates that even the most reputable security products have design flaws that make the software attractive to government hackers.

Google security engineer Tavis Ormandy has detailed one more serious bug in Kaspersky products after disclosing issues earlier this month that forced the Russian antivirus vendor to issue an emergency patch.

Ormandy has released details of a remote code exploit bug in Kaspersky Antivirus he said he would release earlier this month, but apparently delayed until the vendor hardened the security of its malware scanning components.

The researcher said last week that Kaspersky promised to enable a Microsoft Visual Studio feature known as “/GS”, a security check for buffer overruns, on the condition he delayed publication of his research.

Ormandy has published details on Google’s Project Zero blog of a bug that stems from this setting being disabled, despite Microsoft having enabled /GS by default for some time. Having the setting enabled would have mitigated a buffer overflow bug Ormandy uncovered in Kaspersky’s implementation of VMware’s Thinapp, a product that creates “thinstall” containers which act as virtualisation wrappers around applications.

“Because Kaspersky do not enable /GS, it is possible to overwrite the stack frame and redirect execution quite simply,” Ormandy noted in a vulnerability report sent to Kaspersky early this month.

He said it was “impressive” that Kaspersky had enabled address space layout randomisation (ASLR), which would make it difficult to redirect execution to a predictable location, but added that it was “unacceptable" for it be shipping products in 2015 without /GS.

Antivirus shouldn’t increase users’ exposure to sophisticated attacks by government and state sponsored funded hackers, Ormandy argued.

“The vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software,” wrote Ormandy.

“Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks,” he added.

Ormandy has previously found bugs in Sophos' and ESET’s software and says a probe of other products will follow. However Kaspersky is a special case due to the popularity of its products, which the company boasts protects 270,000 corporate clients and 400 million users worldwide.

NSA documents released by Edward Snowden earlier this year showed Kaspersky products were the prize target in a campaign by the UK’s GCHQ campaign to reverse engineer antivirus software that stifled its computer network exploitation capability.

More broadly, as Ormandy points out in a link to leaked documents from Italian offensive security firm Hacking Team, exploits for antivirus products are considered valuable.

Read more: The week in security: Inside the antivirus pressure-sell; Adobe's 38m-strong privacy breach

"We would like to assure all our clients and customers that vulnerabilities publicly disclosed in a blogpost by Google Project Zero researcher, Mr. Tavis Ormandy, have already been fixed in all affected Kaspersky Lab products and solutions," Kaspersky Lab said in a statement.

The spokesperson added that the company hasn't seen evidence these vulnerabilities have been exploited in the wild.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags VMware’s Thinappvulnerability report​Kaspersky bugsGoogleAddress Space Layout Randomisation (ASLR)Tavis Ormandygovernment hackMicrosoft Visual Studioantivirus

More about GCHQGoogleKasperskyMicrosoftNSASophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place