New research illustrates that even the most reputable security products have design flaws that make the software attractive to government hackers.
Google security engineer Tavis Ormandy has detailed one more serious bug in Kaspersky products after disclosing issues earlier this month that forced the Russian antivirus vendor to issue an emergency patch.
Ormandy has released details of a remote code exploit bug in Kaspersky Antivirus he said he would release earlier this month, but apparently delayed until the vendor hardened the security of its malware scanning components.
The researcher said last week that Kaspersky promised to enable a Microsoft Visual Studio feature known as “/GS”, a security check for buffer overruns, on the condition he delayed publication of his research.
Ormandy has published details on Google’s Project Zero blog of a bug that stems from this setting being disabled, despite Microsoft having enabled /GS by default for some time. Having the setting enabled would have mitigated a buffer overflow bug Ormandy uncovered in Kaspersky’s implementation of VMware’s Thinapp, a product that creates “thinstall” containers which act as virtualisation wrappers around applications.
“Because Kaspersky do not enable /GS, it is possible to overwrite the stack frame and redirect execution quite simply,” Ormandy noted in a vulnerability report sent to Kaspersky early this month.
He said it was “impressive” that Kaspersky had enabled address space layout randomisation (ASLR), which would make it difficult to redirect execution to a predictable location, but added that it was “unacceptable" for it be shipping products in 2015 without /GS.
Antivirus shouldn’t increase users’ exposure to sophisticated attacks by government and state sponsored funded hackers, Ormandy argued.
“The vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software,” wrote Ormandy.
“Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks,” he added.
Ormandy has previously found bugs in Sophos' and ESET’s software and says a probe of other products will follow. However Kaspersky is a special case due to the popularity of its products, which the company boasts protects 270,000 corporate clients and 400 million users worldwide.
NSA documents released by Edward Snowden earlier this year showed Kaspersky products were the prize target in a campaign by the UK’s GCHQ campaign to reverse engineer antivirus software that stifled its computer network exploitation capability.
More broadly, as Ormandy points out in a link to leaked documents from Italian offensive security firm Hacking Team, exploits for antivirus products are considered valuable.
"We would like to assure all our clients and customers that vulnerabilities publicly disclosed in a blogpost by Google Project Zero researcher, Mr. Tavis Ormandy, have already been fixed in all affected Kaspersky Lab products and solutions," Kaspersky Lab said in a statement.
The spokesperson added that the company hasn't seen evidence these vulnerabilities have been exploited in the wild.
Blast from the past?
Read more: The week in security: Inside the antivirus pressure-sell; Adobe's 38m-strong privacy breach
Try our new Space Invaders inspired video game NOW.
What score can you get ?