Researcher Claims Kaspersky Anti-Virus Has Security Flaw

An attacker could use malformed files in the Microsoft .cab format to take over target systems.
A major anti-virus vendor's software is itself open to attack, an independent security researcher said Monday.

According to Alex Wheeler, who earlier this year disclosed bugs in many of the biggest security vendors' products, Kaspersky Labs' anti-virus engine can be hacked by attackers armed with maliciously-created .cab files.

The .cab format is used by Microsoft to hold compressed files on its distribution disks and on OEM-machines for re-installing Windows and applications.

As it analyzes incoming .cab files for possible viruses or worms, Kaspersky's engine is vulnerable to a heap overflow that could give an attacker complete control of the system. Worse, an attack wouldn't require any user interaction, and could be initiated through such protocols as SMTP (e-mail), HTTP (Web sites), or FTP (file downloading).

"Due to the library’s independent design and core functionality, it is likely this vulnerability affects a substantial portion of Kaspersky’s gateway, server, and client antivirus enabled product lines on most platforms," said Wheeler in an advisory posted on his Web site.

Kaspersky also OEMs its anti-virus engine to other companies; Wheeler warned that some products from those vendors may be vulnerable as well. A list of Kaspersky's OEM partners is available on the Moscow-based company's Web site.

The Kaspersky bug is similar to one Wheeler identified in late August in rival Sophos' anti-virus engine; that flaw, however, revolved around anti-virus scanning of Microsoft Visio files. While working with Internet Security Systems (ISS) earlier in the year, Wheeler helped identify vulnerabilities in products produced by most of the prominent players in the anti-virus market, including Symantec, F-Secure, and Trend Micro.

Symantec issued a quick alert Monday following Wheeler's disclosure, and recommended that enterprises block all .cab files at the network edge, limit communications with potentially-vulnerable devices to trusted hosts only, and monitor intrusion detection hardware/software for signs of incoming attacks.

But even that may not be enough, Symantec warned.

"It should be noted that none of these mitigating strategies will prevent a determined attacker from exploiting these vulnerabilities, short of disabling vulnerable software and devices."

Kaspersky Labs did not reply to a request for comment.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Abel, Technical Director, Google Cloud
Cynthia Harvey, Freelance Journalist, InformationWeek
Christopher Gilchrist, Principal Analyst, Forrester
Cynthia Harvey, Freelance Journalist, InformationWeek