A path traversal flaw recently reported in Kaspersky Anti-Virus can enable a remote user to view files on a target system, according to Security Tracker.
When users key into the software’s virtual keyboard, it does not properly validate their input, the researchers claim. This enables a remote user to create specially crafted HTML that, once it is downloaded by the target user, will bring up the virtual keyboard. At this point the attacker can view files on the victim’s system.
“A specially crafted GetGraphics() call with an input value containing directory traversal characters can trigger this flaw,” Security Tracker said.
The advisory is available here.