SECURITY
SECURITY
SECURITY
Kaspersky products allegedly have vulnerabilities that invite abuse by websites, but it denies claim
Cybersecurity firm Kaspersky Lab is alleged to have vulnerabilities in its software that expose its application programming interface to abuse by websites.
First documented Monday by cybersecurity researcher Wladimir Palant, the vulnerabilities were found in software including Kaspersky Internet Security 2019.
Palant says that he first uncovered the vulnerabilities and security issues in December last year. Although Kaspersky addressed some of the issues in an update in July 2019, other vulnerabilities remain and new vulnerabilities have since been discovered.
“When I tried the new Kaspersky Internet Security 2020, extracting the secret from injected scripts was still trivial and the main challenge was adapting my proof-of-concept code to changes in the API calling convention,” Palant told ZDNet. “Frankly, I cannot blame Kaspersky developers for not even trying — I think that defending their scripts in an environment that they cannot control is a lost cause.”
Kaspersky denied the claim, saying in a blog post Monday that it has already fixed the security issues raised by Palant in the web protection component of its products and product extensions for Google Chrome.
Kaspersky did concede that “no matter how thorough the preventive measures are, little buggies manage to sneak in — and no software product in the world can completely get rid of them at the preventive stage.” But vulnerabilities in software provided by a cybersecurity company is never a good look.
“Antivirus and other security technologies are a hugely valuable attack surface,” Craig Young, computer security researcher for cybersecurity firm Tripwire Inc.’s vulnerability and exposure research team ,told SiliconANGLE. “These systems are a common target for adversarial exploitation because they typically have a lot of access and will process dangerous inputs with minimal user interaction.”
Young said he’s generally opposed to deploying technologies that intercept and modify web traffic. But he added, “The fact of the matter is that there are simply too many ways in which this can go wrong and oftentimes the perceived security benefits are negated by the extensive risk they introduce.”
Kaspersky has been a subject of drama in the past, permanently banned from providing services to the U.S. government over concerns about its links to the Russian government. Despite the ban, the company has also been a good citizen, helping the U.S. National Security Agency catch a data-stealing contractor in January.
Photo: Wikimedia Commons
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
