Kaspersky confirms antivirus software flaw

The problem affects Windows products only and preliminary protection was available last week. A permanent fix is in the works.

Kaspersky Lab confirmed Tuesday that a potentially serious flaw exists in its antivirus software, but said a fix is on the way.

The security software maker said it had offered preliminary protection to customers last week and that a permanent patch will be available on Wednesday.

Kaspersky also said that the vulnerability is limited to Microsoft Windows-based versions of its products. Additionally, while it does license the vulnerable component to some third parties, most partner products that use Kaspersky code are not affected, the Moscow-based company said in a statement.

Kaspersky issued the statement in response to a report on Monday of a flaw in its antivirus library. An attacker could exploit the heap overflow vulnerability to commandeer systems that run Kaspersky's products, security researcher Alex Wheeler wrote in an advisory (download PDF).

"The actual threat posed by the...vulnerability is minimal and cannot affect the level of antivirus protection provided by Kaspersky Lab products," the company said in the statement.

Wheeler informed Kaspersky of the flaw around Sept. 24, said Stephen Orenberg, president of Kaspersky's North American operations. After an initial investigation, Kaspersky provided updated antivirus signatures on Sept. 29 to protect customers against attacks exploiting the flaw, he said. A final fix is due Wednesday, Orenberg said.

Affected products are: Kaspersky Anti-Virus Personal 5.0; Kaspersky Anti-Virus Personal Pro 5.0; Kaspersky Anti-Virus 5.0 for Windows Workstations; Kaspersky Anti-Virus 5.0 for Windows File Servers and Kaspersky Personal Security Suite 1.1.

"This is a theoretical flaw," Orenberg said. "There has never been an exploit for this flaw."

A hacker could launch a remote attack via the vulnerability by sending a malformed CAB file to a PC--in an e-mail, for example, the French Security Incident Response Team said in an advisory Monday. No user interaction is needed for the malicious code to run, FrSirt noted. The group gave the issue its highest rating of "critical."

As the pool of easily exploitable security bugs in Microsoft Windows dries up, attackers are looking for holes in security software as a way to get into systems, Yankee Group analysts wrote in a research paper released earlier this year.

At the Black Hat Briefings security conference this summer, researchers at Internet Security Systems outlined vulnerabilities in antivirus products. ISS has discovered bugs in products from security software makers including Symantec, McAfee, Trend Micro and F-Secure.