Kaspersky released a fix this week for these flaws, several of which were reported to the company by researchers from VeriSign iDefense Labs and TippingPoint as long ago as last November.
Reported as a part of TippingPoint’s Zero Day Initiative, the oldest of the bunch was a bug in the way Kaspersky’s anti-virus engine handled the ARJ archive format that can enable remote attacks.
“The Kaspersky engine copies data from scanned archives into an unchecked heap-based buffer,” according to an advisory on the Zero Day Initiative website.
“This results in heap corruption when a malformed ARJ archive is processed by an application that utilizes the engine. This corruption can be exploited to execute arbitrary code.”
A month after the vulnerability was reported to Kaspersky, iDefense Labs reported another flaw in a Kaspersky AntiVirus 6 ActiveX control that allows malicious websites to steal information from users’ machines.
Researchers at iDefense were also responsible for finding a heap overflow vulnerability in Kaspersky’s Internet Security Suite that is weak to local attacks, which they reported to the company first in January and then at the beginning of March.
Kaspersky Lab said Wednesday in an advisory posted on the company website that the vulnerabilities have been fixed in File Server version 6.0.
Secunia reports Kaspersky vulnerabilities as highly critical
By Ericka Chickowski on Apr 10, 2007 10:48AM