The flaw (CVE-2016-6231) could allow an attacker to perform man-in-the-middle (MitM) attacks by presenting a bogus SSL certificate for a secure site which the application would silently accept, according to an advisory on Coomber’s blog Info-Sec.ca.
The bug is caused by the app’s failure to validate the SSL certificates it receives when connecting to secure sites and versions 1.6.0 and below are affected.
Coomber notified Kaspersky of the bug on June 23 and the issue was patched on July 28 in the release of version 1.7.0. Users are encouraged to update the app as soon as possible.
Kaspersky said in its own advisory that the “vulnerability could have been exploited only if user opens malware HTTPS link that is not detected by anti-phishing or other anti-malware engines embedded in the application.”