• MENU
  • Skip to right header navigation
  • Skip to main content
  • Skip to primary sidebar

SecNews In Depth IT Security News

  • MANIFESTA Blog
  • Inet
  • Security
  • Investigations
  • tweaks
  • Views
  • TV
  • Search
  • MANIFESTA Blog
  • Inet
  • Security
  • Investigations
  • tweaks
  • Views
  • TV
  • Search
Home / security / Kaspersky's API is open to abuse by websites

Kaspersky's API is open to abuse by websites

26 November, 2019, 5: 56 pm by Teo Ehc Leave a Comment

Kaspersky software vulnerabilities have left an internal API open to abuse by webmasters, and patching efforts have so far failed.

On Monday, software developer Wladimir Palant documents the myth, which began after he began investigating Kaspersky Web Protection features included in software such as Kaspersky Internet Security 2019. Online protection functionality includes scans of search results to eliminate potentially malicious links, and preventive monitoring.

In December last year, the developer found a set vulnerabilities and security issues in Web protection mode, which can be activated by any website.

Kaspersky

Web Protection must be able to communicate with the main Kaspersky application and the value of a secret value, which in theory is not known to web domains and has the ability to ensure safety Communication. However, a security flaw allowed sites to extract this key "quite easily", according to Palant, and "allow them to establish a connection to the Kaspersky application and send commands exactly as Web Protection would do".

Chrome and Firefox extensions use native messages to retrieve the signature, while Internet Explorer reads script injections. Without extending the browser, Kaspersky will insert its scripts directly into the website, and here's the first CVE-2019-15685 vulnerability through abuse of URL Advisor and frames, in order to extract the signature.

“Websites could use this vulnerability, for example, to silently disable protection functionality adblocking and tracking ”, says the developer. "They could also do a lot of things where the impact was not so obvious."

After the bug was reported, Kaspersky developed a solution in July for 2019, blocking access to certain features on 2020 products' websites. However, other commands could be accepted, such as whitelisting websites in adblockers (CVE-2019-15686). A new issue has also arisen because of the failure patch: websites had access to data of the user system, including unique identifiers of the Kaspersky computer installation (CVE-2019-15687).

This unexpected introduction data it wasn't the end of the story. Palant says the patch also introduced a new vulnerability that could be used to cause a crash in the process antivirus, leaving systems vulnerable to intrusions, such as CVE-2019-15686.

The cybersecurity firm then attempted to fix the situation by resolving data leakage and "mainly" fixing the crash problem. sites could no longer cause a "crash", but extensions browser or local apps probably could.

A new patch has been developed and will be released on 28 November, but with a "script injection" backup approach instead of relying purely on extensions browser, with the developer not having much hope that the problem will be resolved.

How useful was this post?

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

Kaspersky's API is open to abuse by websites was last modified: November 26, 2019, 5: 56 by Teo Ehc

Share
Do you have an opinion? Leave your comment.

The author allows you to copy his / her text only if you report the source (SecNews.gr), as an e-mail address (Live URL) of the article.
Updated on 26 November | 17: 56 by Teo Ehc

Competition: securityTag: api!, Kaspersky, websites

Teo Ehc

About Teo Ehc

BE THE LIMITED EDITION.

Previous Post: « A former CIA agent requires more stringent data checks
Next Post: CFC tool helps promote insurance plans »

Reader Interactions

Comment Policy:

SecNews.gr does not immediately post comments. Malicious comments, comments that include ads, or comments with insults are deleted without any warning. We do not endorse the views expressed by our readers.


Leave a reply Ακύρωση απάντησης

Your email address is not published. Τα υποχρεωτικά πεδία σημειώνονται με *

Primary Sidebar

  • Base64 encoded image 35,641 Happy fans
  • Base64 encoded image 3,657 Followers

trending


Find out how much damage your SSD drive has to Windows 10
Lidl Black Friday deals: Maybe we get the Xbox One S at a low price?
Zorin OS 15 Lite to replace Windows 7
Windows 7 hack to continue with support
Windows 10 Version 1909 installation keys
Bliss OS run the latest Android on your computer
Windows 7 Too hard to die
SecNews MX Linux 19 x64 custom ISO release for Windows
Kickass Torrents: LOC 15 alternatively site for free movies and games!
Remove viruses from Windows with Ubuntu Live USB

tweaks

Enable Tab Freeze in Google Chrome

Windows 7 Disable notification for upgrade

FBI: Beware! Connect your IoT devices to a separate network!

Microsoft: Spear-phishing is growing rapidly - How is it treated?

Comparium: Try your site in different browsers and OS

Find out how much damage your SSD drive has to Windows 10

SecNews MX Linux 19 x64 custom ISO release for Windows

7 pronunciation dictionaries to improve your English

Display the version of Windows on the desktop

Fido: easily download Windows ISO

Copyright © 2010 - 2019 · SecNews | ToS | SiteMap | Contact

el Greek
ar Arabiczh-CN Chinese (Simplified)en Englishfr Frenchde Germanel Greekit Italianru Russian