Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Security Software Increases Exposure to Attacks: Google Researcher

Security software can considerably increase exposure to targeted attacks, according to Google information security engineer Tavis Ormandy.

Security software can considerably increase exposure to targeted attacks, according to Google information security engineer Tavis Ormandy.

Ormandy and other Google Project Zero researchers have been working on improving the software testing method known as fuzzing in an effort to make the process of identifying security issues more efficient. The expert has been applying some of the techniques to antiviruses and earlier this month he reported finding many serious vulnerabilities in Kaspersky products, including a critical buffer overflow that was quickly patched by the security firm.

In the past, the expert also identified serious security holes in products from ESET and Sophos, and in the future he plans on analyzing solutions from other vendors as well.

In a blog post published on Wednesday, Ormandy detailed some of the vulnerabilities found in Kaspersky products and pointed out that such security holes can pose a serious risk to users since they dramatically increase exposure to targeted attacks.

“For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software,” the Google security engineer explained. “Ignoring the question of efficacy, attempting to reduce one’s exposure to opportunistic malware should not result in an increased exposure to targeted attacks.”

Ormandy believes that antivirus vendors should seriously consider sandboxing unpackers, emulators and parsers, and not run them with system privileges. One solution would be the open source Chromium sandbox.

Ormandy claims to have reported dozens of vulnerabilities to Kaspersky Lab, some of which have yet to be fixed.

According to the expert, the vulnerabilities found in Kaspersky products affect features such as network intrusion detection, SSL interception, and file scanning to browser integration. Ormandy says many of the critical vulnerabilities he reported to Kaspersky could have been easily exploited to attack users and compromise their systems.

“Because antivirus products typically intercept filesystem and network traffic, simply visiting a website or receiving an email is sufficient for exploitation. It is not necessary to open or read the email, as the filesystem I/O from receiving the email is sufficient to trigger the exploitable condition,” Ormandy said about one of the issues.

The security company has assured customers that the flaws publicly disclosed by the Google security engineer have been patched in all affected products. Furthermore, the company says it hasn’t found any evidence to suggest that the vulnerabilities have been exploited in the wild, and highlighted the fact that Ormandy’s efforts and findings were backed by the computing power of Google Project Zero.

“The flaws discovered in the code of Kaspersky Lab products led to the incorrect parsing of malformed files in the following formats: DEX, VB6, CHM, ExeCryptor, PE, ‘Yoda’s Protector’, and some other malicious files, which resulted in integer and buffer overflows,” Kaspersky Lab told SecurityWeek. “The first fix was delivered to our clients via automatic database updates within 24 hours of the company becoming aware of the issue; the latest fix for these vulnerabilities was delivered on 13 September 2015. Additionally, we have implemented stack buffer overflow protection (referred to as ‘/GS’ by the researcher) for container extraction, delivering the fix to our customers by 15 September 2015.”

“To further improve the resilience of our products we are taking active measures to mitigate the risks of exploiting the inherent imperfections of software. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP), and plan to expand their usage in future,” the company added.

Ormandy says he is not done auditing Kaspersky products.

Learn More About Fuzzing at the 2015 ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.