Kaspersky’s internet security features in its anti-virus, Internet Security, Full Security, Free Anti-Virus, Safety Cloud and Small Office Security products have been patched with several vulnerabilities.
Researcher Wladimir Palant told Kaspersky in December 2018 that he had found some vulnerabilities associated with brand characteristics that are designed to block ads and trackers.
The issue was how Kaspersky products monitor websites for threats if users don’t install an optional browser extension designed for this task. When the extension is not installed, Kaspersky products inject scripts into the visited web pages to still protect users.
Palant found that it could have easily obtained a hidden value used to secure interaction between the embedded scripts and the request, allowing an attacker to send arbitrary commands to the device. The investigator has shown how a website can use this tool to secretly deactivate ad blocking and monitoring.
Kaspersky told the researcher in July 2019 that the problem had been patched, but Palant found that the repair, which stopped websites from deactivating ad blocking and monitoring, simply “made things worse.” One bug could have been used to gather system information, such as the Windows version and the unique ID of the User. This concern was similar to one that Ronald Eikenberg had described earlier this year, which revealed that a specific app ID could be used to track users online.
The expert also found a denial-of-service flaw, which malicious websites could exploit to crash the antivirus process and leave the system unprotected.
In a blog post published on Monday, Kaspersky revealed how their technology works and how all the vulnerabilities have been fixed. Palant acknowledged that security flaws were mostly patched, but pointed out that websites can still send Kaspersky software commands, and some of these commands may not be harmless. He admits, however, that the entire functionality was not evaluated to assess its potential safety effects.
Kaspersky’s advisory notes that one bug even affected Chrome’s Security extension. This vulnerability allowed an attacker to remotely delete other extensions installed.
In Small Office Security 2019 products and versions 6 of Kaspersky fixed the vulnerabilities with Patch I and Patch J. Fixes for Patch E and Patch F are included in the 2020 products and in Small Office Security version 7.