Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Google Researcher Finds Certificate Flaws in Kaspersky Products

Google Project Zero researcher Tavis Ormandy has discovered two serious certificate-related issues in Kaspersky Lab’s anti-malware products. The flaws were addressed by the security firm in late December.

Google Project Zero researcher Tavis Ormandy has discovered two serious certificate-related issues in Kaspersky Lab’s anti-malware products. The flaws were addressed by the security firm in late December.

The first vulnerability, rated “critical” by Ormandy, is related to how Kaspersky Antivirus inspects SSL/TLS connections. According to the expert, Kaspersky uses a Windows Filtering Platform driver to intercept outgoing HTTPS connections.

The company proxies SSL connections by adding its own certificate as a trusted authority to the system store and replacing all leaf (end-entity) certificates on the fly. This results in certificates appearing as if they have been issued by “Kaspersky Anti-Virus Personal Root Certificate” on systems running Kaspersky Antivirus.

“Kaspersky cache recently generated certificates in memory in case the user agent initiates another connection. In order to do this, Kaspersky fetches the certificate chain and then checks if it’s already generated a matching leaf certificate in the cache. If it has, it just grabs the existing certificate and private key and then reuses it for the new connection,” Ormandy explained in an advisory.

“The cache is a binary tree, and as new leaf certificates and keys are generated, they’re inserted using the first 32 bits of MD5(serialNumber||issuer) as the key. If a match is found for a key, they just pull the previously generated certificate and key out of the binary tree and start using it to relay data to the user-agent,” the expert added.

The problem, according to the researcher, was that the 32-bit key was not enough to prevent a man-in-the-middle (MitM) attacker from creating collisions. The expert said an attacker could have intercepted all traffic to a certain domain (e.g. by sending the targeted Kaspersky Antivirus user two certificates with the same key.

A search of certificate transparency logs revealed, for instance, that the certificate used by Hacker News ( had the same serialNumber/issuer hash as the certificate for the website of Manchester, Connecticut (

“So if you use Kaspersky Antivirus in Manchester, Connecticut and were wondering why Hacker News didn’t work sometimes, it’s because of a critical vulnerability that has effectively disabled SSL certificate validation for all 400 million Kaspersky users,” the expert said.

The second vulnerability found by Ormandy, rated “high severity,” involves improper protection of the private key for the local CA root. The problem was that the security firm stored the private key in the ProgramData folder and used an ACCESS_MASK blacklist instead of a file system access control list (ACL) to protect it.

“This is trivial to exploit, any unprivileged user can now become a CA,” Ormandy said in an advisory describing the issue.

The flaws were reported to Kaspersky on October 31 and November 11 and they were addressed on December 28.

This was not the first time Ormandy discovered vulnerabilities in Kaspersky products. Since September 2015, the Google researcher reported identifying 17 security holes in Antivirus and other applications.

UPDATE. Kaspersky Lab told SecurityWeek that the issues have been addressed in the following products: Small Office Security for Windows, Fraud Prevention for Windows, Anti-Virus 2016 and 2017, Internet Security for Windows 2016 and 2017, Total Security for Windows 2016 and 2017, and Safe Kids for Windows 1.1. 

“The security of our customers is our top priority, which is why Kaspersky Lab takes all reports about potential security issues seriously. The issues linked to the processing of SSL certificates, recently disclosed by Google Project Zero researcher Tavis Ormandy, have been fixed, and we have no evidence that any of these have been exploited in the wild,” the company said in an emailed statement.

“The fixes were included in auto update released to customers on December 28, 2016. A fix for Kaspersky Endpoint Security for Mac is included in the new version of the product. To apply the fixes, customers should update their products. We would like to thank Mr. Ormandy for reporting these vulnerabilities to us in a responsible manner.”

Related: Palo Alto Networks Patches Flaws Found by Google Researcher

Related: Critical Vulnerability in Symantec AV Engine Exploited by Just Sending an Email

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.