Kaspersky & ActiveX Vulnerabilities

Very knowledgable people post at the KL forums so it's worth making enquiries there. It's not just a place for KL to interact with their customers, but also for users of their products to share ideas and help one another.

 

Obviously not in all the forums in the world. But it would be practical for software companies to have reps hang around a few of the largest forums in an unofficial capacity, in order to provide help/information that could ultimately generate new customers.

Thanks, I appreciate that. I hope Kaspersky likes this thread as well, as I have said some nice things about them.

 

Here's something about it:

"Unsafe methods (e.g. the "StartUploading()" method) in the AxKLSysInfo.dll and AxKLProd60.dll ActiveX controls can be exploited by malicious websites to remove and retrieve arbitrary files from a user's system."

http://secunia.com/advisories/24778/

 

The people at Kaspersky are the ones who had their feelings hurt, not me. Because they've worked hard to turn KAV into a world class program. So when they receive an email like mine, they're offended by it to the point of ignoring it. However, this kind of attitude is not only extremely unprofessional, it's ridiculously immature.

As they shouldn't feel I'm out of line for questioning the current safety of their program. In fact, they should welcome the opportunity to alleviate concerns about the security breaches. Especially since their product is supposed to prevent exploits instead of causing them.

It's like their attitude is: "So what if we put back doors in our program that allowed hackers to secretly access the hard drives of our customers. It was just for a few months! Plus, our customers were protected against viruses the entire time their data was available to hackers! So it's not like our program didn't perform as advertised."

Many of the same people who post on the Kaspersky forum also post on this forum. So I feel the response I'm getting here is representative of what I'd get on that forum. For whatever reason, most KAV fans don't want to say critical things about the program. It's almost like they feel Kaspersky is a family member, and the security flaws are akin to a mental illness that shouldn't be discussed.

Well I'm a KAV fan, but my loyalty is to the security of my hard drive, not Kaspersky. So when they knowingly jeopardize that security by intentionally utilizing unsafe technology, I'm not going to keep quite about it. Instead, I'm going to complain about it in public forums, like I'm doing here.

As exposing their dirty laundry to prospective customers is the best way to influence them to change their policy about using ActiveX controls in their program. And the vast majority of people on the Kaspersky forum are already customers.

Also, in regards to the experts who are discovering the security holes in KAV, it would be nice if Kaspersky would take a proactive approach to security by hiring them to check for exploits before new versions of KAV are released.

 

I think security researchers, like those at Secunia, do report their findings to the particular vendor under test directly before they publish their results. When they are published, most vendors are working on a solution, and often you get patches issued within a short space of time, sometimes even before the advisory is published.

 

That's very true. The objective of course is to keep every hacker in the world from learning about the exploits until they're patched.

But my point is that security researchers don't get access to the program until it's been released to the public. Meaning that hackers could find the security holes long before the good guys do, since they're operating on an even playing field, and there's a lot more hackers than good guys. Thus Kaspersky should feel a moral obligation to have their program checked for security flaws before releasing it. As obviously, their customers buy KAV to prevent exploits, not cause them.

 

i'm pretty damn certain KAV devs check for exploits and potential holes in the software prior to the software getting released, but they must have missed this one on this occasion and as soon as they found out about the flaw, it was fixed... mistakes happen, seeing as its been rectified, i dont see an issue anymore and dont see why you still have a hatred towards Kaspersky... IMO its not an issue anymore seeing as its been fixed

 

I'm sure they do also, but they obviously don't have the kind of expertise necessary to find the 'tough ones', as evidenced by the exploits listed below.

They missed more than one, and it was more than one occasion:

http://secunia.com/advisories/24778/?show_all_related=1#related

1. Kaspersky Anti-Virus Engine UPX Processing Denial of Service
2. Kaspersky Antivirus PE File Handling Denial of Service
3. Kaspersky Labs Anti-Virus IOCTL Privilege Escalation
4. Kaspersky Anti-Virus "klif.sys" Denial of Service Vulnerability
5. Kaspersky Anti-Virus Engine Malformed Archives Virus Detection Bypass
6. Kaspersky Anti-Virus Engine CHM File Parsing Buffer Overflow
7. Kaspersky Anti-Virus CAB Archive Handling Buffer Overflow
8. Kaspersky Anti-Virus Insecure Log Directory Security Issue
9. Kaspersky Anti-Virus "klif.sys" Privilege Escalation Vulnerability
10. Kaspersky Anti-Virus Zip Archive Virus Detection Bypass Vulnerability
11. Multiple AV Products bzip2 Processing Denial of Service Vulnerability
12. Kaspersky Anti-Virus DoS and Filter Circumvention

If you'll read this thread, you'll see what the issues are.

If you'll read this thread, you'll see I'm actually a KAV fan, and that I've said a few very nice things about the program. I'm simply trying to make the program better/more secure by shining a light on the weaknesses. Because if no one makes an issue about Kaspersky's previous use of unsafe ActiveX software, they'll be much more likely to use it again in the future.

You really should familiarize yourself with a thread before making such an irresponsible accusation. Because "hatred" is a pretty strong word, and highly inaccurate in this case. Let me guess, the concept of "constructive criticism" is totally unfamiliar to you?

IMO, it's still an issue, hence this thread. If you'll read the thread instead of just scanning it, you'll understand why. Or maybe not, depending on your level of comprehension.

 

every software has vunrabilites.
people said for ages apple Mac was unhackable.
but a few weeks ago someone found a flaw which created a back door to do anything to the system and nick any data
lodore

 

I don't know if you're aware of it guys, but you're actually feeding the troll (oh, i'm sorry Kav fan) the "ammo" he needs.

 

Let's examine the facts. Kaspersky knowingly used unsafe technology that has a well known history of being exploited. Consequently, my business records may have been compromised by hackers, which could destroy my business. But you label me a troll for posting on-topic complaints about it. This certainly doesn't do much for your credibility.

In fact, since your post was totally off-topic, contributed nothing to the thread, and was designed solely to harass someone, it makes you a troll. You're not the only KAV fan who hates me for being so critical about the program. You're just the only one who was unprofessional enough to resort to immature name calling. Please try to control yourself like everyone else, and respect the rules by limiting your posts to just on-topic comments.

Thanks in advance.

 

Harass? Good one.

I don't hate you, thats just a label you need to put on me to justify your crusade and subsequently those who do not agree is Kav fan's who cannot handle critique of their chosen anti-virus.

As for my credibility around here and other forums..................i think it's pretty good if you ask around, ar least as good as a first time poster on a crusade.

FYI, Kaspersky does not read this forum so you're pretty much talking to the wind in that regard if you are really interested in making them aware, but then again it's not really Kaspersky you're are interested in reaching is it...............

Now back to your crusade.

 

"Harass" was too strong a word, I should have used "insult" instead. Sorry about that.

I didn't say you didn't have credibility. I indicated that you had undermined your credibility by falsely labeling someone as a troll for posting legitimate complaints.

As for Mr. Kaspersky, I'm sure he doesn't have time to read this forum. But I'm also sure this thread has been brought to his attention, and that he has evaluated my comments with an open mind. I also believe there's a good possibility it may influence him to direct the developers to permanently ban ActiveX controls from future versions of KAV. So it's ironic that my so called "crusade" may help you by making the program a lot more secure.

 

Not really since, to quote Secunia, the solution is to:

Which, incidentally, had been available some time BEFORE Secunia published their findings.

And we're now already at v6.0.2.621 in the version 6 line.

The point is Secunia discovered the vulnerabilities mentioned, reported them to KL and they updated their products to fix them.

 

I can't resist this, but perhaps the same should be said of Microsoft & Windows?

 

not only that, look at secunia for other Anti-virus vendors, almost all have some flaws (not to mention regular software like winamp)

 

AlamoCity

A couple of things; firstly, I have read through this thread with interest but do not understand the point(s) that you have been/are trying to make as your initial concerns appear to have been responded to in the latest version of the product? Where are you coming from on this? Secondly, Don is correct, it is less likely that the Kaspersky Team will see the points made here (no disrespect to Wilders as this is a great forum but KL have their own). If you feel that you have a legitimate issue with the software then you should really be posting at the Kaspersky Labs forum (http://forum.kaspersky.com/) where I am sure that your points will be picked up by the Kaspersky Team if still valid.

Regards

Baldrick

 

What do you mean "not really"? Post #33 in this thread lists multiple exploits that occurred over a period of time. And dawgg had implied that Kaspersky only missed the ActiveX back doors.

You're overlooking some important facts. There's a lot more hackers than good guys looking for KAV exploits. And they could have found those back doors long before the good guys did in this case. They could even have found them 24 hours after the program was first released. No one knows. So the only solution is for Kaspersky to pay the experts to check for exploits long before hackers have access to the program.

All Kaspersky did was remove three DLL's from the program, which could easily be uploaded back onto hard drives by compromised/malicious websites. They also ignored the following email I sent to info@kaspersky.com on Apr 30, 2007, 8:30 AM:

"Does your Kaspersky® Anti-Virus 6.0 program currently use any ActiveX controls? If so, could you please tell me what they're used for, as far as the functions they provide."

One reason they may have ignored it is because they're still using ActiveX controls in their program for other features, and they don't want to officially deny it or admit it. And no, I'm not going to ask in their forum, as I want it in writing from the company rather than a volunteer moderator.

 

Umm, this thread is about Kaspersky. And people buy security software with the expectation that it will protect them from exploits, not cause them. Which is why I indicated that Kaspersky has a moral obligation to make sure there's no back doors in KAV before releasing it to their unsuspecting customers. Because there's something inherently wrong with being safer by not using an anti-virus program.

Being able to make the following statement is something that Mr. Kaspersky should definitely be ashamed of: "My customers would have been safer by not using my anti-virus program for a period of time, as long as they had a good firewall in place, and they didn't do anything risky on the Internet."

Personally, I went without any kind of anti-virus protection for at least a year, and never got a single virus, trojan, etc. My only security was a software firewall, period. And I spent hours on the Internet every day.

 

But this thread is about improving the security of KAV.

 

If I answered this I would just be repeating myself. So it's better if you just read the thread again.

Some of the people who posted comments in this thread are moderators on the Kaspersky forum, and one of them has made over 12,000 posts there. So I'm quite sure this thread has been brought to the attention of someone on the "Kaspersky Team". Which means that posting here is the same thing as posting on the Kaspersky forum.

Plus, by posting everything here, hundreds of prospective customers interested in KAV will have access to all of the details. Which provides Kaspersky with more of an incentive to ban ActiveX controls from future versions of KAV, thus making the program safer for everyone.

The facts are pretty clear. Kaspersky knowingly jeopardized the security of their customers by utilizing ActiveX controls in KAV, which have a history of being easily exploited. And they were in fact exploited, providing hackers with back doors into the hard drives of everyone who was using KAV to protect themselves.

If no one makes an issue about it, or goes on a "crusade" as Don puts it, then there's zero reason for Kaspersky to not use ActiveX based features in KAV again. Or remove them if they're still in use. But with this thread, at least they have one reason.

 

they are already gone, and they won't be coming back. so i don't know what this is all about "remove them from future versions". I'm starting to belive that you really a troll.

 

Hi!
I have read this thread first with curiosity then suprise and now I am disgusted...

This thread could have been brought to the attention of KL if it was relevant or important, for this reason I am sure KL is NOT AT ALL informed about it!

Fax

 

I am prefectly capable of reading and I do not believe that you have answered this...otherwise I would not have asked the question. I believe that you are just interested in YOUR view and are not happy when other try to understand this (so perhaps we should just ignore you)

Don't believe that as I think that the moderators have more important things to do than transmit your views.

But as you have already been told that the issue has been resolved what is the point of persisting with this. It has been fixed. If you doubt that then why not email Kaspersky Labs directly and ask them the question?

So have many other AV suppliers in this and many other ways so why pick on Kaspersky? Why not be fair and start a thread that highlights all the top AV supplier CURRENT vulnerabilities? That would be more useful than a vandetta which is what you seem to be pursuing IMHO.

If you knew anything about Kaspersky then you would know that they are one of the best listeners in the business and have one of the most active group of users IMHO (I used NIS & ZASS before KIS can compare Kaspersky with those companies...support is much better than either based on when I was using them).

IMHO opinion I think that you may well be taken for a troll or a flamer and finally ignored as others taking such approaches have been. And that would be sad as I think that your initial points were good/justified.

 

Sorry plantextract, but since you won't disclose what your connection is to Kaspersky, if there is one, I can't take your word for it. Instead, I have to go by the facts. Which is that Kaspersky ignored the email I sent them inquiring whether their current version of KAV still utilizes any ActiveX controls. So based on their refusal to respond, I suspect they may still be using them.

After all, they were willing to use them for an unnecessary tool, so it's not a stretch to believe they're still using them for other, more important features. And again, the company won't officially confirm or deny it. And again, what you say on the subject is totally irrelevant (no insult intended). By the same token, what volunteers say in the Kaspersky forum can't be relied on as anything more than speculation.

You're misquoting me, as I never said that. I stated "there's zero reason for Kaspersky to not use ActiveX based features in KAV again. Or remove them if they're still in use. But with this thread, at least they have one reason." Meaning that since they've already used them once, for an unnecessary tool, there's a good chance they'd be willing to use them again in the future for another feature.

So again, this thread will give them at least one good reason why they shouldn't expose their customers to unsafe software that has a history of being exploited."

Fine, undermine your credibility all you want to.