Kaspersky Anti-Virus 6.0, Kaspersky Internet Security 6.0 - 5 vulnerabilities fixed in Maintenance Pack 2.0 build

Pertains to the following products:

  • Kaspersky Anti-Virus 6.0
  • Kaspersky Internet Security 6.0

Vulnerabilities fixed:

  • Kaspersky Antivirus ActiveX Unsage Methods Vulnerability
  • Kaspersky Anti-Virus SysInfo ActiveX Control Information Disclosure Vulnerability
  • Kaspersky AV Library Remote Heap Overflow
  • klif.sys Heap Overflow Vulnerability
  • KLIF Local Privilege Escalation Vulnerability

Kaspersky Antivirus ActiveX Unsafe Methods Vulnerability1

This vulnerability allows remote attackers to download and remove any file on vulnerable versions of Kaspersky Anti-Virus. User interaction is required to exploit this vulnerability: the user must visit a webpage which takes advantage of this vulnerability. The specific flaw exists within the ActiveX controls in AxKLProd60.dll and AxKLSysInfo.dll

During installation of Maintenance Pack 2, the DLLs will be removed from the system.

Kaspersky Anti Virus SysInfo ActiveX Control Information Disclosure Vulnerability2

The remote exploitation of the information disclosure vulnerability in Kaspersky Anti-Virus 6.0 could allow malicious websites to steal files from end user machine running Kaspersky Anti-Virus.

The SysInfo ActiveX control includes a method called StartUploading which allows malicious web scripts to perform an anonymous FTP transfer of any file the scripts identify on the victim's machine. No dialogs, warnings or user action is required to perform the transfer.

During installation of Maintenance Pack 2, this DLL will be removed from system.

Kaspersky AV Library Remote Heap Overflow1

This vulnerability affected systems which are running the Kaspersky Anti-Virus Engine. User interaction is not required to exploit this vulnerability.

The OnDemand Scanner incorrectly parses specially crafted ARJ archives inside the arj.ppl module. This results in a memory overrun. Most often the product simply crashes. The corruption potentially can be exploited to execute arbitrary code without user interaction. Any products using arj.ppl are vulnerable.

klif.sys Heap Overflow Vulnerability2

Locally executed code can write some special values into registry that hangs klif.sys driver, part of the proactive protection. The driver hooks and screens certain system calls, including registry functions. One of the hook functions is vulnerable to an integer overflow that leads to a kernel heap overflow. If a large unsigned value for the data size argument is passed an arithmetic overflow occurs when the amount of memory to allocate is calculated. A copy operation into this buffer causes a corruption of kernel page pool memory.

KLIF Local Privilege Escalation Vulnerability

This vulnerability allows locally executed code to receive Ring-0 privileges through klif.sys unsafe code. User interaction is required to execute the code. The vulnerability is local and code should first appear on user's computer.

All these vulnerabilities have been fixed in the build 6.0.2. 614.

1 Kaspersky would like to thank an anonymous researcher working with TippingPoint (www.tippingpoint.com) and the Zero Day Initiative (www.zerodayinitiative.com) for reporting this issue.

2Kaspersky would like to thank iDefence (http://labs.idefense.com) for reporting this issue.


Download Here