Security in security products – fixed

We are software developers. Which means we are humans (so far). And all humans make mistakes. That’s why you won’t find a software developer in the world whose products are without any flaws or mistakes. Simply put: Bugs happen. It’s normal.

Bug busters wanted

What is not normal is not trying to find and fix those bugs. That’s why we at Kaspersky put a lot of effort into it. We eliminate most vulnerabilities in our products during several stages internal testing, and we have a very thorough beta-testing program that involves many people (including our devoted Kaspersky Club). We also implemented the secure development cycle. All of that helps us minimize the number of bugs and vulnerabilities.

However, no matter how thorough the preventive measures are, little buggies manage to sneak in — and no software product in the world can completely get rid of them at the preventive stage. That’s why we not only continue monitoring them intently after our releases, but also encourage independent researchers to discover and report them. This includes the creation of our bug bounty program together with HackerOne, which offers a reward of up to $100,000 for reporting bugs, and establishing a Safe Harbor for researchers with Disclose.io. We invite every researcher, using any channel of communication, to disclose any bugs or vulnerabilities they find to us.

So, today we thank Wladimir Palant, an independent security researcher, who informed us about several vulnerabilities in some of our products. Now we’re shedding light on the bugs Palant discovered, how we fixed them, and the current state of our products.

Found and fixed

To provide a secure Internet connection, including blocking ads and trackers and warning you about malicious search results, we use a browser extension. Of course, you may refuse to install this (or any) extension. Our app won’t leave you without protection on the Internet, so if it senses the extension isn’t installed, it injects scripts into the Web pages you visit to monitor them for potential threats. In such cases, a communication channel is established between the script and the body of the security solution.

The bulk of the vulnerabilities Palant discovered were in this communication channel. In theory, if an adversary attacked this channel, it could be used to command the main app. Palant discovered the issue affecting Kaspersky Internet Security 2019 back in December 2018, and he reported it to us through the bug bounty program. We started working on the issue immediately.

Another of Palant’s findings was a potential exploit using the communication channel between the browser extension and the product, for example to access important data such as a Kaspersky security solution’s product ID, product version, and operating system version. We fixed that as well.

Finally, Ronald Eikenberg of c’t magazine discovered a vulnerability

that disclosed unique IDs to websites visited by users of Kaspersky products. We fixed it back in July, and by August it had reached all of our users. Palant later found another vulnerability of that sort, and it was fixed in November 2019.

Why use that technology?

Using scripts like those we describe above is not an uncommon practice in the antivirus world; however, not every vendor uses them. As for us, we use the script-injection technology only if you don’t enable our browser extension. We recommend using the extension. However, even if you decide not to use it, we still do our best to provide you with a good user experience and protection.

The scripts are used mainly to enhance user experience — for example, they help block banners — but in addition to that, they protect users against attacks with dynamic Web pages, which cannot otherwise be detected if the Kaspersky Protection extension is disabled. Also, components such as antiphishing and parental control rely on the scripts to work.

Thanks to Wladimir Palant, we were able to significantly enhance the protection of the communication channel between the scripts or the plugin and the main app.

Building it together

As of now, all discovered vulnerabilities have been closed, and the attack surface is significantly narrowed. Our products are safe whether you use them with or without the Kaspersky Protection browser extension.

We want to thank everyone who helps us find bugs in our products. It is partly due to their efforts our solutions continue to be the best, as proved by different independent test laboratories, and invite all security researchers to participate in our bug bounty program.

Nothing is absolutely secure. However, by working together with security researchers, fixing vulnerabilities as soon as possible, and constantly improving our technologies we can offer our users the strongest protection in existence against all possible threats.