Secunia yesterday released a highly critical advisory for multiple vulnerabilities in several Kaspersky Lab products that could allow remote attackers to access or steal files and local attackers to bypass security measures.
Reported as a part of TippingPoint’s Zero Day Initiative, the oldest of the bunch was a bug in the way Kaspersky’s anti-virus engine handled the ARJ archive format that can enable remote attacks.
“The Kaspersky engine copies data from scanned archives into an unchecked heap-based buffer,” according to an advisory on the Zero Day Initiative website. “This results in heap corruption when a malformed ARJ archive is processed by an application that utilizes the engine. This corruption can be exploited to execute arbitrary code.”
A month after the vulnerability was reported to Kaspersky, iDefense Labs reported another flaw in a Kaspersky AntiVirus 6 ActiveX control that allows malicious websites to steal information from users’ machines. Researchers at iDefense were also responsible for finding a heap overflow vulnerability in Kaspersky’s Internet Security Suite that is weak to local attacks, which they reported to the company first in January and then at the beginning of March.
Kaspersky Lab said Wednesday in an advisory posted on the company website that the vulnerabilities have been fixed in File Server version 6.0.