UPDATED 21:33 EDT / NOVEMBER 26 2019

kasperskylab SECURITY

Kaspersky products allegedly have vulnerabilities that invite abuse by websites, but it denies claim

Cybersecurity firm Kaspersky Lab is alleged to have vulnerabilities in its software that expose its application programming interface to abuse by websites.

First documented Monday by cybersecurity researcher Wladimir Palant, the vulnerabilities were found in software including Kaspersky Internet Security 2019.

Palant says that he first uncovered the vulnerabilities and security issues in December last year. Although Kaspersky addressed some of the issues in an update in July 2019, other vulnerabilities remain and new vulnerabilities have since been discovered.

“When I tried the new Kaspersky Internet Security 2020, extracting the secret from injected scripts was still trivial and the main challenge was adapting my proof-of-concept code to changes in the API calling convention,” Palant told ZDNet. “Frankly, I cannot blame Kaspersky developers for not even trying — I think that defending their scripts in an environment that they cannot control is a lost cause.”

Kaspersky denied the claim, saying in a blog post Monday that it has already fixed the security issues raised by Palant in the web protection component of its products and product extensions for Google Chrome.

Kaspersky did concede that “no matter how thorough the preventive measures are, little buggies manage to sneak in — and no software product in the world can completely get rid of them at the preventive stage.” But vulnerabilities in software provided by a cybersecurity company is never a good look.

“Antivirus and other security technologies are a hugely valuable attack surface,” Craig Young, computer security researcher for cybersecurity firm Tripwire Inc.’s vulnerability and exposure research team ,told SiliconANGLE. “These systems are a common target for adversarial exploitation because they typically have a lot of access and will process dangerous inputs with minimal user interaction.”

Young said he’s generally opposed to deploying technologies that intercept and modify web traffic. But he added, “The fact of the matter is that there are simply too many ways in which this can go wrong and oftentimes the perceived security benefits are negated by the extensive risk they introduce.”

Kaspersky has been a subject of drama in the past, permanently banned from providing services to the U.S. government over concerns about its links to the Russian government. Despite the ban, the company has also been a good citizen, helping the U.S. National Security Agency catch a data-stealing contractor in January.

Photo: Wikimedia Commons

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.