14 DAY TRIAL // Tavis Ormandy, an Information Security Engineer at Google, has found a zero-day exploit in Kaspersky's antivirus product, as he announced on Twitter last Saturday.
According to Ormandy's tweet, the Google security researcher had found a zero-day exploit in Kaspersky's antivirus, versions 15.x and 16.x.
Later on he detailed the vulnerability as "a remote, zero interaction SYSTEM exploit, in default config."
Basically, the Kaspersky zero-day bug would have permitted an attacker to easily infiltrate the victim's computer, and gain system-level privileges, allowing him to carry on any kind of attacks without restrictions.
The Kaspersky team was very responsive to a tweet seeking contact with their security staff, even the company's president, Eugene Kaspersky, getting involved and making sure the vulnerability was properly and privately disclosed.
Kaspersky announced an update in less than 24 hours
One day later, on Sunday morning, Kaspersky announced a worldwide update for its product.
Since so little details were provided on Twitter, and Kaspersky released an update in less than 24 hours, there are small chances this vulnerability was ever used by any malicious actor.
This is not the first time Ormandy exposed a flaw in a security product, the Google engineer previously discovering and disclosing vulnerabilities in Sophos and ESET's antivirus engines. He also found a zero-day vulnerability in Windows XP's Help and Support Center.
Security researchers like Graham Cluley have been highly critical of Ormandy in the past because he doesn't seem to want to follow regular protocol when it comes to disclosing bugs to software manufacturers.
Instead, Ormandy just puts the information online, which can easily be picked up by hackers and integrated in exploit kits. This time, the details he provided were scarcer, and he seems to have followed the "unofficial" disclosure protocol.
Softpedia reached out to Kaspersky and we'll update the article as new information comes to light.
UPDATE: Kaspersky Lab has answered Softpedia's inquiry into the matter with the following statement:
"We would like to thank Mr. Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure. A fix has already been distributed via automatic updates to all our clients and customers. We’re improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable."
This was a bad day for antivirus makers. On the same day the Kaspersky bug was revealed to the public, another security researcher found a zero-day exploit in FireEye's antivirus as well.
Okay, first Kaspersky exploit finished, works great on 15 and 16. Will mail report after dinner. /cc @ryanaraine pic.twitter.com/IpifiWpoEU
— Tavis Ormandy (@taviso) September 5, 2015
Kaspersky tell me they're rolling out a fix globally right now, that was less than 24hrs.
— Tavis Ormandy (@taviso) September 6, 2015