Google researcher finds more zero-days in Kaspersky anti-virus

It is never feasible to have security related flaws in a software program that is intended to provide security to the hosting machine.But since every software program is just a code written by Humans, loopholes are likely to remain unnoticed.Hackers on the other side are always ready to welcome vulnerabilities in Antivirus Programs.

Tavis Ormandy, a security researcher at Google Inc. has revealed some zero-day vulnerabilities in the popular antivirus Kaspersky,one after another. The first vulnerability lay in the way Kaspersky handled ‘Thinstall’ or ‘ThinApp’ containers – virtual wrappers around applications. Ormandy found the vendor hadn’t turned on a security mechanism designed to prevent certain buffer overflows – where malicious code reaches out of a targeted application to attack the wider operating system.

Kaspersky had switched on a technology to randomise the location of scripts in memory so the malicious ones couldn’t be easily located by the attacker. That should have made attacks far more difficult, but Ormandy found the technology had not been implemented correctly, making the memory allocation not random at all.To finally exploit the flaw and load a calculator – the standard proof of exploit in hacker circles – Ormandy put his attack code in a ZIP file. That was then attached to a Windows Dynamic Load Library (DLL) file, which are typically designed to allow programs to share resources to perform tasks.

Ormandy said his exploits worked on version 15 and 16 of Kaspersky Antivirus on Windows 7. A Kaspersky spokesperson said the vulnerabilities publicly disclosed by Ormandy, including those from earlier in the month, were fixed in all affected Kaspersky Lab products. “Our specialists have no evidence that these vulnerabilities have been exploited in the wild,” the added. The simple buffer overflow that Kaspersky had neglected to turn on was activated on 15 September.

But the Google Zero researcher noted he was sitting on a number of other Kaspersky vulnerabilities. “Many of the reports I’ve filed are still unfixed, but Kaspersky has made enough progress that I can talk about some of the issues. One notable observation from this work was that some of the most critical vulnerabilities I’ve been submitting were simply too easy to exploit, and I’m happy to report that Kaspersky are rolling out some improved mitigations to resolve that,” he added, praising the firm for its quick response. Ormandy has promised to research other vendors soon.

Researchers are continuing to highlight an awkward truth for security companies trying to detect malware: due to the privileges they have on individuals’ computers and business networks, they are themselves a very good target for hackers. And as has been proven, they are often vulnerable.

Pointing to spy and police contractor Hacking Team’s list of anti-virus vulnerabilities, Ormandy noted: “The vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.

“Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks.”

The smartest hackers in the world are keen to expose anti-virus too. The NSA was said to have targeted a wide range of vendors, whilst a recent breach of Kaspersky was linked to Israel.

Not only Kaspersky,but many other names in this field have been found to have serious weaknesses in their software. The common names include Sophos,ESET and FireEye.

The influence of such bugs in the implementation has started affecting the business aspects,atleast in terms of number of users,whether it be an Individual or a Firm. Some of them have decided to ditch Antivirus and the most notable one among them is NetFlix.