Secunia reports Kaspersky vulnerabilities as highly critical

Secunia yesterday released a highly critical advisory for multiple vulnerabilities in several Kaspersky Lab products that could allow remote attackers to access or steal files and local attackers to bypass security measures.

Kaspersky released a fix this week for these flaws, several of which were reported to the company by researchers from VeriSign iDefense Labs and TippingPoint as long ago as last November.

Reported as a part of TippingPoint’s Zero Day Initiative, the oldest of the bunch was a bug in the way Kaspersky’s anti-virus engine handled the ARJ archive format that can enable remote attacks.

“The Kaspersky engine copies data from scanned archives into an unchecked heap-based buffer,” according to an advisory on the Zero Day Initiative website. “This results in heap corruption when a malformed ARJ archive is processed by an application that utilizes the engine. This corruption can be exploited to execute arbitrary code.”