Kaspersky Antivirus Fixes Bug That Allowed Attackers to Block Windows Update and Others Services

Status
Not open for further replies.

Kumaran

Level 4
Thread author
Verified
Well-known
Dec 15, 2013
150
vulnerability-open-to-abuse-fixed-in-kaspersky-internet-security-antivirus-494280-2.jpg


Attackers could have fooled Kaspersky antivirus in blocking Windows Update or some of its own update servers


A vulnerability that allowed abuse by attackers was discovered and quickly fixed in the Kaspersky Internet Security antivirus package, one which allowed hackers to spoof traffic and use the antivirus product against the user and itself.

Google Project Zero security researcher Tavis Ormandy is on a roll these days, finding zero-day exploits in the same Kaspersky antivirus in early September, and then another one in the Avast antivirus just the past week.

Now he turned his sight to the Kaspersky Internet Security package, more specifically to its Network Attack Blocker component, a feature which protects computers against malware and other attacks that rely on the Internet or a local network to propagate.

According to Mr. Ormandy's research, the problem is actually a design flaw, the Network Attack Blocker being "a simple stateless packet filter with a pattern-matching signature system."
This means that the component scans each network packet in turn and does not keep track if the stream from which it originates has been already cleared before.

The antivirus could have been used to block Windows Update

If a malicious packet is detected trying to slip in, the Kaspersky antivirus simply blacklists that packet's origin IP address.

As Mr. Ormandy explains, an attacker could easily spoof a network packet, and then fool the antivirus in blocking services like Windows Update, Kaspersky's own update servers, or any other IPs which might cripple a computer's defenses, allowing it to carry out further attacks later on.

Additionally, because the Network Attack Blocker does not understand context (application layer), the antivirus can also be fooled into blocking IP addresses by simplify embedding a virus signature into an image's metadata, or inside an email.

The vulnerability was detected and reported to Kaspersky on September 11, and the security vendor issued a fix on October 8. Read more
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
Does Tavis Ormandy get a reward (or a bounty, if you like) from reporting this kind of vulnerability?
 
  • Like
Reactions: OokamiCreed

ABHINAV RAO

New Member
Jul 26, 2014
5
hello friends can you suggest me a internet security suite for my pc

my specs
intel pentium D @ 2.6GHz
80 gb hardisk
RAM Corsair DDR3 4GB Desktop (CMV4GX3M1A1333C9)
gpu amd radeon hd 5450
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top