Security Experts:

Connect with us

Hi, what are you looking for?


Endpoint Security

Vulnerabilities Disclosed in Kaspersky, Trend Micro Products

Vulnerabilities discovered in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application could be exploited for DLL preloading, code execution, and privilege escalation, a security firm has warned.

Vulnerabilities discovered in Kaspersky Secure Connection, Trend Micro Maximum Security, and Autodesk Desktop Application could be exploited for DLL preloading, code execution, and privilege escalation, a security firm has warned.

According to SafeBreach, Kaspersky Secure Connection (KSDE), a VPN client used with various Kaspersky applications, including Security Cloud, Internet Security, Anti-Virus, Total Security, and Kaspersky Free, is impacted by CVE-2019-15689, a vulnerability that could allow an attacker to implant and run an arbitrary unsigned executable. 

The issue is similar to vulnerabilities that SafeBreach has disclosed over the past several weeks in anti-malware applications from McAfee, Symantec, Avast and Avira, where privileged processes attempt to load libraries that are not present at the expected location.

Specifically, KSDE, a signed service that starts automatically at system boot up and which runs as SYSTEM, attempts to load multiple missing DLLs. An attacker able to load an arbitrary DLL could have it run with SYSTEM privileges within the context of ksde.exe.

The root cause of the vulnerability, SafeBreach notes, is that the process does not perform a signature verification against the loaded DLL, and that it attempts to load the library using only the filename and not an absolute path. 

Successful exploitation of the flaw could result in an attacker executing malicious code within the signed Kaspersky process, which enables them to avoid detection.

The Autodesk Desktop Application also attempts to load a missing DLL file, from different directories within the PATH environment variable. An attacker could abuse this to have their own malicious library loaded by the signed process.

The root cause of this vulnerability is the lack of safe DLL loading, complemented by the lack of digital certificate validation. The security flaw is tracked as CVE-2019-7365. 

Analysis of Trend Micro Maximum Security, SafeBreach says, has revealed that, although the software runs as SYSTEM, some of its parts run as non-PPL processes, thus allowing an attacker to load unsigned code, due to the fact that the CIG (Code Integrity Guard) mechanism is not enforced. 

The security researchers discovered that the issue (tracked as CVE-2019-15628) made privilege escalation simple, “allowing a regular user to write the missing DLL file and achieve code execution as NT AUTHORITYSYSTEM.” This could lead to defense evasion, self-defense bypass, persistence, and privilege escalation through the loading of an arbitrary DLL. 

SafeBreach reported these vulnerabilities to the respective vendors in July of this year. All three have acknowledged the bugs and issued CVE numbers for them. 

Related: DLL Hijacking Flaw Impacts Symantec Endpoint Protection

Related: Vulnerability in McAfee Antivirus Products Allows DLL Hijacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet