Kaspersky closes critical holes in antivirus products
Antivirus vendor Kaspersky has released Maintenance Pack 2 for Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0 to close a number of security holes, some of which are critical. For instance, attackers can exploit flaws in the installed ActiveX controls AxKLProd60.dll and AxKLSysInfo.dll to download or delete files from a victim's computer. This is also possible with the ActiveX control SysInfo, which allows an FTP transfer to be launched on the user's computer without authentication and without prompting the user. In all three cases, however, the victim first has to visit a malicious website using Internet Explorer. While the Maintenance Pack does remedy the holes, it does not do so by correcting the flaws, but instead deletes the vulnerable controls during installation.
In addition, two heap overflows have been found in Kaspersky products. One of them can be triggered by specially prepared ARJ Archives in an on-demand scan: the scanner can be brought down and code injected and launched. The other overflow is the result of a flaw in the hook function of the driver klif.sys which can be exploited to execute code with kernel privileges. According to the experts at security service provider iDefense who made the discovery, these holes are very difficult to exploit. Finally, yet another flaw in this driver allows programs to be executed with the highest privileges (ring 0). The flaws have been remedied in build 188.8.131.524.
Users are advised to download and install the product updates as quickly as possible.
While maintenance pack 2 was released in February, Kaspersky has only now indicated that the product is compatible with Vista. In addition, information on the critical security holes that the pack patches has only now been made available.
- Kaspersky Anti-Virus 6.0, Kaspersky Internet Security 6.0 - 5 vulnerabilities fixed in Maintenance Pack 2.0 build 184.108.40.2064, Kaspersky's security advisory
- Kaspersky AntiVirus SysInfo ActiveX Control Information Disclosure Vulnerability, iDefense's security advisory
- Kaspersky Internet Security Suite klif.sys Heap Overflow Vulnerability, iDefense's security advisory