UXSS flaw raises concerns about security software intercepting encrypted connections

UPDATED Kaspersky has fixed three vulnerabilities in its security software, including a universal cross-site scripting (UXSS) flaw.

The three resolved vulnerabilities are among a grand total of eight bugs discovered by Germany-based software developer Wladimir Palant last December.

Palant went public with details of the first tranche of bugs on Tuesday, some time after they were patched by Kaspersky back in April.

He’s agreed to hold off on the details of five other 2018 finds in order to end users time to apply updates pushed out by Kaspersky last month. Palant recently found three further bugs in Kaspersky's software, which he reported but are still going through vulnerability disclosure and remediation.

The first batch of flaws highlight the security downsides that could potentially arise from the interception of secure HTTPS connections by antivirus vendors – something that remains a common, industry-wide practice.

Kaspersky’s Internet Security suite, for example, sits between web server and a user’s browser in order to ‘protect’ customers from web security threats. Breaking up a secure HTTPS connection is done in order to inspect content which would otherwise be unintelligible.

Critics argue that the practice threatens user privacy through the use of a unique IDs, which could allow websites to track users, regardless of the protective measures they might take.

Worse yet, Kaspersky’s implementation opens up an attack vector for manipulating page contents and rerouting traffic to a malicious server, Palant found.

The researcher explains some of the various security shortcomings he discovered – including poor HSTS support and a ‘clickjacking’ vulnerability, as well as the more serious use of injected content for UXSS – in a blog post.

The UXSS vulnerability is nasty, but restricted to users of Microsoft’s Edge browser.

Kaspersky acknowledged and updated its software in an attempt to address these various shortcomings.

In response to a query from The Daily Swig, a Kaspersky spokesperson said: “Kaspersky has fixed a security issue in its products, which could potentially allow cybercriminals to use the URL Advisor component to inject and execute malicious scripts into the context of other domains in the Microsoft Edge browser. To achieve this, an attacker would need to lure a user to a maliciously crafted web page.

“Kaspersky has also improved our web protection component with additional security measures, to protect users from MITM (man-in-the-middle) attacks, including those that are targeted to HSTS web resources.”

The latest versions of its security suites are immune to the flaws, the security software firm added.

“These security issues have been fixed in the 2019 versions of our products, including Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Security, Kaspersky Free Anti-Virus and Kaspersky Small Office Security, by Patch E, which was released on 18 April 2019 and delivered to customers through an auto-update procedure. Users of the latest versions of our products (released from 2020) are unaffected by these issues.

“We would like to thank the researcher, Wladimir Palant, who discovered these security issues and reported them responsibly to us.”

This story was updated on 21 August, with comment from Palant, with an accurate discovery and disclosure timeline, reflecting that three bugs are still going through the disclosure process and remain unaddressed.