Kaspersky has addressed several vulnerabilities in the web protection features implemented in its antivirus solutions, including Internet Security, Total Security, Free
The vulnerabilities were found by the security researcher Wladimir Palant that reported them to Kaspersky in December 2018.
The issue affects Kaspersky’s web protection feature used by the security products of the company to block ads and trackers and to warn users about malicious search results and much more.
Kaspersky leverages on an optional browser extension to implement these features. If the browser extension is not installed, Kaspersky solutions inject scripts into the visited web pages to perform the same task.
“Kaspersky developers obviously came up with a solution, or I wouldn’t be writing this now. They decided to share a secret between
A website under the control of the attacker could use the secret value to silently disable
In July Kaspersky told
“In December 2018 I could prove that websites can hijack the communication between Kaspersky browser scripts and their main application in all possible configurations. This allowed websites to manipulate the application in a number of ways, including disabling ad blocking and tracking protection functionality.” continues the analysis.
“Kaspersky reported these issues to be resolved as of July 2019. Yet further investigation revealed that merely the more powerful API calls have been restricted, the bulk of them still being accessible to any website. Worse yet, the new version leaked a considerable amount of data about user’s system, including a unique identifier of the Kaspersky installation. It also introduced an issue which allowed any website to trigger a crash in the application, leaving the user without antivirus protection.”
The fix initially proposed by Kaspersky introduced new issues that could have been exploited to collect information about the system.
The expert also found a DoS vulnerability that could have been exploited by malicious websites to crash the antivirus solution, leaving the target system without any protection.
“Thanks to Wladimir Palant, we were able to significantly enhance the protection of the communication channel between the scripts or the plugin and the main app.” reads the post.
“Kaspersky Lab has fixed a security issue found by Wladimir Palant in Kaspersky Password Manager that could potentially lead remote unauthorized access by 3rd parties to information about address items which are stored in the vault while it is in
Palant agreed that most of the issues were fixed, but pointed out that websites can still send some commands to the Kaspersky solutions.
So another patch will become available this week, and this time the crash will hopefully be a thing of the past. One thing won’t
(SecurityAffairs – Kaspersky, hacking)