Kaspersky Lab comments on a report regarding a vulnerability in the company's antivirus products
04 Oct 2005
There has recently been a wide-ranging discussion in the mass media about a report by Alex Wheeler, an independent researcher, that a vulnerability related to processing files of the CAB format has been discovered in Kaspersky Lab antivirus products. Taking into account the close attention of the computer community, Kaspersky Lab considers it necessary to provide official comments on the incident.
The company confirms the presence of a vulnerability in a Kaspersky Anti-Virus module used to process CAB files. Taking advantage of this vulnerability results in a malfunction of the antivirus program. This effect is present only in the Windows environment and does not affect other operating systems.
At the same time, Kaspersky Lab specialists have taken measures to eliminate the threat related to the CAB module vulnerability. First of all, on receiving the relevant data, the virus analyst team within a short time period created a package of signatures that detect possible exploits of this vulnerability (procedures that use the vulnerability to compromise a computer). This set of signatures was added to the antivirus databases of Kaspersky Anti-Virus on September 29, significantly reducing the chances of successful use of the CAB vulnerability exploits. Furthermore, no attempts to create and distribute such exploits have been recorded to date. In this connection, it should be noted that Alex Wheeler, who discovered the vulnerability in question, has not provided demonstration code that uses it.
All in all, based on the above factors it can be stated that the actual threat posed by the CAB vulnerability is minimal and cannot affect the level of antivirus protection provided by Kaspersky Lab products.
Kaspersky Lab experts are currently developing an emergency update of the company's antivirus products which include the CAB module affected by the vulnerability. The revised list of such products includes: Kaspersky Anti-Virus Personal 5.0, Kaspersky Anti-Virus Personal Pro 5.0, Kaspersky Anti-Virus 5.0 for Windows Workstations, Kaspersky Anti-Virus 5.0 for Windows File Servers, Kaspersky Personal Security Suite 1.1. Importantly, version 4.5 of Kaspersky Lab's antivirus products is not affected by the vulnerability. An update which eliminates the vulnerability is now available, and can be installed using standard update procedures: ftp://ftp.kaspersky.ru/updates50/AutoPatches/windows/
Kaspersky Lab is also a known provider of antivirus solutions for OEM and technology partners. Majority of solutions distributed by Kaspersky Lab OEM and technology partners does not incorporate the vulnerable module and thus is not affected. Furthermore the signature database update released by Kaspersky Lab on 29th of September prevents potential attacks by detecting and neutralizing the malicious code of a possible exploit before the system can be affected. This countermeasure provides the necessary level of protection for potentially vulnerable systems until a software update is released.