Security

Anti-Virus software hit with 6 critical vulnerabilities

Kaspersky Labs announced over easter that their latest maintenance pack fixes six critical security vulnerabilities in their anti-virus software. The security flaws affect the Anti-Virus 6.0 and Internet Security products, including both the workstation and server editions.

Kaspersky Labs announced over easter that their latest maintenance pack fixes six critical security vulnerabilities in their anti-virus software. The security flaws affect the Anti-Virus 6.0 and Internet Security products, including both the workstation and server editions.

The vulnerabilities center around ActiveX control holes and heap overflows in included dlls, and allowed malicious attackers the full range of exploits, including remote code execution, system privilege escalation, memory corruption and transferring of files over FTP.

The flaws were discovered by security research firms TippingPoint and iDefence, which are owned by 3Com and Verisign respectively.

The worrying thing, aside from the fact that a tool specifically designed as a security tool can be home to such serious security holes, is that these problems were discovered as far back as November last year, and fixed over four months later. For a firm that's supposed to be up with the cutting edge of virus and explot technology, this seems more than a little slack, particularly as they push out virus definition updates much more regularly. Security by obscurity is a dangerous habit that many companies are critised for by security firms, however it appears that it's the way Kaspersky keeps their own house in order.

More details can be found on Kaspersky's releases about the flaws: http://www.kaspersky.com/technews?id=203038693 and http://www.kaspersky.com/technews?id=203038694, as well as on the Zero Day Initiative's advisories page and iDefence's vunerabilities list.

Posted by Nick Gibson.

Editor's Picks

Free Newsletters, In your Inbox