Pierluigi Paganini November 26, 2019

Kaspersky has fixed several flaws affecting the web protection features implemented in some of its security products

Kaspersky has addressed several vulnerabilities in the web protection features implemented in its antivirus solutions, including Internet Security, Total Security, Free Anti-Virus, Security Cloud, and Small Office Security products.

The vulnerabilities were found by the security researcher Wladimir Palant that reported them to Kaspersky in December 2018.

The issue affects Kaspersky’s web protection feature used by the security products of the company to block ads and trackers and to warn users about malicious search results and much more.

Kaspersky leverages on an optional browser extension to implement these features. If the browser extension is not installed, Kaspersky solutions inject scripts into the visited web pages to perform the same task.

“Kaspersky developers obviously came up with a solution, or I wouldn’t be writing this now. They decided to share a secret between application and the scripts (called “signature” in their code). This secret value has to be provided when establishing a connection, and the local server will only respond when receiving the correct value.” reads the post published by the expert.

Palant demonstrated that it was possible to determine the secret value used to protect the communications between the injected scripts and the security solution. The knowledge of the value could allow the attacker to eavesdrop the traffic and manipulate it to send commands to the applications.

A website under the control of the attacker could use the secret value to silently disable adblocking and tracking protection.

In July Kaspersky told Palant that it had addressed the issue, but the researcher discovered that the fix did not work properly.

“In December 2018 I could prove that websites can hijack the communication between Kaspersky browser scripts and their main application in all possible configurations. This allowed websites to manipulate the application in a number of ways, including disabling ad blocking and tracking protection functionality.” continues the analysis.

“Kaspersky reported these issues to be resolved as of July 2019. Yet further investigation revealed that merely the more powerful API calls have been restricted, the bulk of them still being accessible to any website. Worse yet, the new version leaked a considerable amount of data about user’s system, including a unique identifier of the Kaspersky installation. It also introduced an issue which allowed any website to trigger a crash in the application, leaving the user without antivirus protection.”

The fix initially proposed by Kaspersky introduced new issues that could have been exploited to collect information about the system.

The expert also found a DoS vulnerability that could have been exploited by malicious websites to crash the antivirus solution, leaving the target system without any protection.

This week Kaspersky published a post to confirm that all the issued found by Palant have been fixed.

“Thanks to Wladimir Palant, we were able to significantly enhance the protection of the communication channel between the scripts or the plugin and the main app.” reads the post.

“Kaspersky Lab has fixed a security issue found by Wladimir Palant in Kaspersky Password Manager that could potentially lead remote unauthorized access by 3rd parties to information about address items which are stored in the vault while it is in unlocked state. No other data in the vault could be compromised. Issue category: Data Leakage. Issue type: Information Disclosure. To exploit this issue an attacker would need to lure a user for visiting a specially crafted web page.” reads the advisory published by Kaspersky.

Palant agreed that most of the issues were fixed, but pointed out that websites can still send some commands to the Kaspersky solutions.

“The crash was also mostly fixed. As in: under some circumstances, antivirus would still crash. At least it doesn’t look like websites can still trigger it, only browser extensions or local applications.” wrote Palant in a new post.

So another patch will become available this week, and this time the crash will hopefully be a thing of the past. One thing won’t change however: websites can still send commands to Kaspersky applications. Is all the functionality they can trigger there harmless? I wouldn’t bet on it.”

Pierluigi Paganini

(SecurityAffairs – Kaspersky, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]