Faulty data processing in klif.sys driver

On September 12, 2007, Rootkit.com published a report regarding two vulnerabilities affecting product operation in Kaspersky Lab products for Windows (view report).

This is not the first time that this author has failed to notify us about a vulnerability before making it public, despite the fact that notifying the vendor first is de facto an industry standard.

The article describes the following situations:

  1. The absence of data checking in klif.sys driver may result in a critical system error (BSOD) when malicious code is executed locally.

    Kaspersky Lab does not regard this vulnerability as critical because this piece of code does not provide any benefits for malware writers. Exploiting this vulnerability draws attention to the presences of malware in the system, but it can neither be exploited from a remote computer nor does it enable privilege escalation for the attacker. However, the code in which the vulnerability was found is outdated – it is not needed on contemporary computer systems, therefore we are removing this code from our products.

    The data processing error in the klif.sys driver will be corrected in an update to Kaspersky Lab products to be released in November 2007.

  2. Calling the DuplicateHandle routine for the antivirus thread makes it possible to suspend the thread.

    Kaspersky Lab does not consider this to be a vulnerability: it is not an error in our code, but an obscure method for manipulating standard Windows routines to circumvent our self-defense mechanisms. As a matter of fact, according to (test results, Kaspersky self-defense capabilities are the most robust in the industry. While we are continually improving our self-defense capabilities, we do prioritize issues balancing between security, degree of seriousness and probability of use.

    We would like to remind users that our robust protection works best in conjunction with best computing practices, including scan everything that you download onto your machine and only run programs from reputable sources.

      09.24.2007