nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Gloves on as Googler deposits foul zero-day on Kaspersky lawn

Global patch makes for laborious long weekend

By Darren Pauli, 8 Sep 2015

Google security man Tavis Ormandy has revealed a dangerous remote zero day vulnerability in Kaspersky kit that grants attackers system privileges.

The bug is a remote "zero interaction" buffer overflow affecting default installation configurations of the latest anti-virus software versions.

"So, about as bad as it gets," Ormandy said on Twitter.

Kaspersky has promised that patches will land within 24 hours of the public zero day disclosure. The company thanked Ormandy, but made no mention of the public disclosure.

"We're improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future," the company said in a statement.

"Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable."

The exploit.

The exploit

The full disclosure irked security expert Graham Cluley, as it was dropped over the US Labor Day long weekend. A great many folk take advantage of the holiday to travel, making a rapid response harder than would be the case on most other weekends.

"[This] clearly makes it difficult as possible for a corporation to put together a response for concerned users," Cluley said.

"Nonetheless, one remains concerned that in the past malicious hackers have taken details of flaws published by Ormandy and used them in attacks."

Users and admins should apply the fixes as soon as possible. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing