Over the weekend a security researcher, Tavis Ormandy discovered a zero day security vulnerability in Kaspersky Anti-virus 2015 and 2016. The issue was a buffer overflow issue (defined) and could be exploited remotely by visiting a website of an attacker’s choice or receiving specifically crafted data packets from an attacker via the internet connection of the device the Kaspersky product is protecting.
Kaspersky quickly responded to update it’s products to resolve this issue and mentioned that they wish to add further mitigation strategies to prevent an issue such as this being found in their products in the future. In addition, Kaspersky already uses Data Execution Prevention (DEP)(defined here and here) and Address Space Layout Randomization (ASLR)(defined) in order to complicate the exploitation of such overflow attacks. A copy of the statement released by Kaspersky is available at the end of this blog post.
If you are using any of Kaspersky’s security products to protect your device, please ensure that it is up to date to protect against this vulnerability being exploited. Further information on updating a selection of Kaspersky products is provided below:
Links to 2015 and previous products are also provided within the above pages.
If you have any questions, you can contact Kaspersky for assistance. Links to their product forums are provided on the right hand side of this page with contact links for their support teams for business and home users located at the end of the same page.
In a separate disclosure Kristian Erik Hermansen, a security researcher provided details of 4 vulnerabilities in FireEye’s security appliances. In addition, a further 30 flaws were discovered by his joint work with another researcher Ron Perris.
An official advisory (PDF) was published by FireEye with regards to the initial 4 vulnerabilities disclosed by Hermansen. This document provides further information as well as how to obtain the appropriate updates and further recommended best practices. If you use any of the affected products, please follow the steps within the advisory to patch these issues as soon as possible.
I will continue to monitor these issues and will update this blog post as more information becomes available.
Update: 15th September 2015: Further vulnerabilities were patched by FireEye in their products as documented in this advisory. However no further details concerning the issues previously discussed have been made available. If you use any of FireEye’s NX, EX, CM, AX or FX products please ensure that they are running the most current release available from FireEye as mentioned in both FireEye advisories.