Back in December last year, independent researcher Vladimir Palant discovered a number of vulnerabilities in Kaspersky Lab products. Even since that time, the manufacturer of antiviruses could not fix them.
Palant studied Kaspersky Internet Security 2019 when he noticed web protection feature, which is used to warn about the malware in search results, blocks ads and trackers, and so on.The specialist explains that this functionality, which works in the browser and at the same time interacts with the main application, and the communication channel between them, as it turned out, had a number of problems.
In theory, a special signature that the site does not know protected such “communication”, but Palant discovered that the resource can relatively easily recognize it, and then it will be able to abuse the functionality of protective products: for example, disable ad blocking or tracking.
Kaspersky Lab specialists, who have already thanked the researcher for his efforts, explain that the browser extension is usually used for the above-described needs. However, if it is not there, the security application will inject special scripts into the visited pages in order to track threats with their help. In such cases, the already mentioned communication channel is established between the script and the body of the security solution.
The introduction of such scripts is a typical practice in the anti-virus industry, although not everyone uses this method. Basically, scripts serve to increase user comfort (for example, help block ad banners). In addition, for example, they protect against attacks using dynamic web pages that otherwise could not be detected (if the Kaspersky Protection extension is disabled or missing). On the scripts is based work of components such as phishing protection and parental control”, – explain developers from Kaspersky Lab.
Returning to the vulnerabilities discovered by Palant, it could be noted that Kaspersky Lab experts in the summer of 2019 released the first patches for these problems. However, this resulted only in limitation of access of features to sites. To be more precise, same features Palant used to demonstrate vulnerabilities: the complete blocking of ad blocking and protection against surveillance.
In addition, arose problems that did not exist before: sites were able to collect various information about the system, including a unique user ID that can be used to “identify” the user even in different browsers.
Read also: Adware malware masks itself as an ad blocker
What is worse, the fix added a new bug that allowed sites to cause the antivirus to crash. Therefore, sites were able to disable the antivirus and leave the system unprotected.
The second attempt to get rid of the problems took place in November 2019 and was more successful. So, now the data on the user’s system no longer leaks to the side, and sites can no longer provoke a malfunction in the antivirus (this is only possible for local applications and browser extensions).
However, Vladimir Palant notes that another patch should appear soon.
Developers cannot be blamed for not doing anything. Protecting scripts in an environment that they cannot control is a hopeless business”, – says Palant.
In turn, the developers issued an official statement in which they reported that “they eliminated all the discovered vulnerabilities and significantly reduced the attack surface.”
Note that in the summer of 2019, Ronald Eikenberg, editor of the German c’t magazine, already discovered a similar problem in Kaspersky Lab products. Then he noticed that Kaspersky Lab’s security products give websites and other services a unique ID for each user, by which the victim could be successfully tracked.