Web Protection functionality said to be exploitable, as patching row rumbles on

Kaspersky security software allegedly fails to protect an internal API properly, allowing any website to abuse internal application functionality.

Wladimir Palant, creator of the AdblockPlus browser extension, further alleges that attempts by Kaspersky to patch this and other problems he uncovered remain deficient.

Palant went public on Monday (November 25) with more details surrounding one of a number of purported vulnerabilities in Kaspersky’s security software that he began uncovering in December last year.

According to Palant, Kaspersky has partially addressed some of the issues he first discovered in Kaspersky Internet Security 2019 with the release of Kaspersky Internet Security 2020 last July.

Despite these partial fixes, some of the initial bugs he uncovered remain unresolved, according to the researcher.

That would be bad enough in itself, but Palant reports finding additional bugs during some follow-up investigations this year.

Some of these issues (such as a bug that causes the software to crash), were caused by shortcomings in Kaspersky’s fix, he said.

Other unresolved flaws allegedly include vulnerabilities that allow websites to uninstall browser extensions, track users across Private Browsing sessions or different browsers, and even control some functionality of Kaspersky software.

Push me, pull you

As previously reported by The Daily Swig, Palant and Kaspersky have been locked together in an ongoing disclosure process since last December,

On Sunday, Kaspersky published a blog post stating it had resolved the bugs discovered by Palant in the communication channel between a browser extension designed to block ads and trackers and the core components of its security suite.

Kaspersky added that it had also resolved a vulnerability that disclosed unique IDs to websites visited by users of Kaspersky products, discovered in its original form by Ronald Eikenberg of c’t magazine before Palant uncovered a further variant.

YOU MIGHT ALSO LIKE Web trackers using CNAME Cloaking to bypass browsers’ ad blockers

Palant followed up on Monday with a post arguing that the web protection component of Kaspersky’s software remains vulnerable.

“Due to the way its Web Protection feature is implemented, internal application functionality can used by any website,” Palant writes.

“It doesn’t matter whether you allowed Kaspersky Protection browser extension to be installed, Web Protection functionality is active regardless and exploitable.”

Internal Kaspersky API exposed to websites, researcher allegesKaspersky API still exposed to websites, researcher alleges

Web Protection is a component of Kaspersky’s security suites designed to flag up malicious search results, as well as blocking advertising and tracking.

The software runs in the browser and needs to communicate with the main application. This functionality is full of bugs, according to Palant, who lays out his concerns in a technical blog post, also published on Monday.

Treat the problem, not the symptoms

In response to request from The Daily Swig for comment on Palant’s latest findings, Kaspersky said its security software has already been patched.

“These security issues were fixed by patches 2019 I, J and 2020 E, F, which were delivered to users through the automatic update procedures,” it said. “A reboot may be required to apply these updates. We also recommend that users make sure that Kaspersky protection extensions for web browsers are installed and enabled.”

At least some of the various flaws Palant uncovered are “high severity”, Kaspersky went on to acknowledge.

“The researcher found vulnerabilities of the different severity in our products, and we recognize that some of the reported vulnerabilities were severe enough, Kaspersky explained. “For instance, as for severe flaws, we can mention vulnerability found in the web protection module: due to a bug in its implementation, it potentially allowed an attacker to disable various anti-virus protection features remotely. Thus, our Product Security Team assessed the severity of this issue as high because an attacker can terminate the product service process.”

"All reported vulnerabilities found in the web protection module are described in the issued security advisory," it added.

Bigger picture

For his part, Palant expressed exasperation about Kaspersky’s remediation efforts, arguing that the security vendor had tackled the symptoms rather than the root cause of the problem throughout.

“The issues I reported are fixed – in the sense that my proofs of concept won’t work any more,” Palant told The Daily Swig. “But the root issue that websites can communicate with the Kaspersky application remains unaddressed, they can still do it.”

“As long as nobody proves this communication channel to be exploitable, Kaspersky doesn’t consider it a vulnerability,” he added.

Palant concluded that he felt he’d done as much as he could to push the issue, whose resolution has been complicated by poor communication between himself and Kaspersky.

“This has actually been a persistent pattern in my communication with Kaspersky: they’ve always fixed only the exact issue I demonstrated, never looking at the bigger picture,” he said.

“That’s also why it took so many iterations. But I’m out now, I have no incentive to keep this up.”

This story was updated at 1330 on November 28 to add comment from Kaspersky.

RELATED ‘Kaspersky-in-the-Middle’ bugs triaged