Kaspersky falls through Online Scanner flaw

Kaspersky falls through Online Scanner flaw


Security firm unaware of 'highly critical' vulnerability

A flaw in Kaspersky's Online Scanner could be exploited by malicious hackers to compromise a user's system.

However, when we first approached the security firm about the flaw a spokesman said that he was "unaware of the problem" and that the company would issue a statement later.

A return call several hours later from Kaspersky's senior technology consultant, David Emm, produced a similar response.

"At the end of the day nothing is 100 per cent secure and anything humans can write, humans can undermine," he said, before going on to discuss two separate vulnerabilities.

When we pointed out that we were talking about a flaw in the company's online scanner found today, he stated that he has not seen the problem. "I'm on a client day at Alton Towers," he said.

After further consultation, Emm called back again to say that users were covered by the version currently on the Kaspersky website.

"The software that's up there is the latest version and is the fixed version, " he said.

However, when asked whether this version will work if a user has the old version downloaded on their computer, Emm admitted that it would not.

"You will need to uninstall the one you had installed originally and install the latest version," he said.

When pressed as to whether Kaspersky will warn users about the situation, Emm said that it was "likely" but that he "cannot confirm it".

The vulnerability is caused by a format string error in the kavwebscan.CKAVWebScan ActiveX control which users have to download before using the scanner.

This could be exploited to execute arbitrary code, for example when a user visits a malicious website.

Security firm Secunia rated the vulnerability in an advisory as 'highly critical'.

The problem affects versions 5.0.93.1 and previous versions, but can be fixed by updating to version 5.0.98.0.

The problem was discovered by Stephen Fewer of Harmony Security and reported via iDefense Labs.