Back in December last year, independent researcher Vladimir Palant discovered a number of problems in Kaspersky Lab products.
Palant studied Kaspersky Internet Security 2019 when his attention was attracted by the web protection feature, which is used to warn of malvari in search results, blocks ads and trackers, and so on. The specialist explains that this functionality works in the browser and should at the same time interact with the main application, and the communication channel between them, as it turned out, had a number of problems.
In theory, such “communication” was protected by a special signature that the site does not know, but Palant discovered that the resource can relatively easily recognize it, and then it will be able to abuse the functionality of protective products: for example, disable ad blocking or tracking.
Kaspersky Lab specialists, who have already thanked the researcher for his work, explain, which is usually used for the above needs browser extension. However, if it is not there, the security application will inject special scripts into the visited pages in order to track threats with their help. In such cases, the already mentioned communication channel is established between the script and the body of the security solution.
The developers note that the introduction of such scripts is a typical practice in the antivirus industry, although not all resort to this method. Basically, scripts serve to increase user comfort (for example, help block ad banners). But also, for example, they protect against attacks using dynamic web pages that otherwise could not be detected (if the Kaspersky Protection extension is disabled or missing). Also, scripts are based on the work of components such as phishing protection and parental control.
Returning to the vulnerabilities discovered by Palant, we note that the first patches for these problems were released by Kaspersky Lab experts in the summer of 2019, however, this only led to some features becoming inaccessible to sites. To be more precise, those features that Palant used to demonstrate vulnerabilities: the complete blocking of ad blocking and protection against surveillance.
In addition, there were problems that were not there before: sites were able to collect various information about the system, including a unique user ID that can be used to "identify" the user even in different browsers.
And, the worst part, the fix added a new bug that allowed sites to cause the antivirus to crash. That is, sites were able to disable the antivirus and leave the system unprotected.
The second attempt to get rid of the problems took place already in November 2019 and was crowned with greater success. So, now the data on the user's system no longer leaks to the side, and sites can no longer provoke a malfunction in the antivirus (this is only possible for local applications and browser extensions). However, Palant notes that another patch is due to appear soon, and writes that developers cannot be blamed for not doing anything. According to him, "protecting scripts in an environment that they cannot control is a hopeless case."
In turn, the developers issued an official statement in which they reported that "they eliminated all the discovered vulnerabilities and significantly reduced the attack surface." The company claims that all products are now safe, regardless of whether a person uses the Kaspersky Protection browser extension or not.
I note that in the summer of 2019, a similar problem in Kaspersky Lab products was already discovered by Ronald Eikenberg, editor of the German c't magazine. Then he noticed that Kaspersky Lab’s security products tell sites and other services the unique ID of each user, by which the victim could be successfully tracked.