A vulnerability that allowed abuse by attackers was discovered and quickly fixed in the Kaspersky Internet Security antivirus package, one which allowed hackers to spoof traffic and use the antivirus product against the user and itself.
Google Project Zero security researcher Tavis Ormandy is on a roll these days, finding zero-day exploits in the same Kaspersky antivirus in early September, and then another one in the Avast antivirus just the past week.
According to Mr. Ormandy’s research, the problem is actually a design flaw, the Network Attack Blocker being “a simple stateless packet filter with a pattern-matching signature system.”
The antivirus could have been used to block Windows Update
If a malicious packet is detected trying to slip in, the Kaspersky antivirus simply blacklists that packet’s origin IP address.
As Mr. Ormandy explains, an attacker could easily spoof a network packet, and then fool the antivirus in blocking services like Windows Update, Kaspersky’s own update servers, or any other IPs which might cripple a computer’s defenses, allowing it to carry out further attacks later on.
Additionally, because the Network Attack Blocker does not understand context (application layer), the antivirus can also be fooled into blocking IP addresses by simplify embedding a virus signature into an image’s metadata, or inside an email.
