Kaspersky Antivirus Crash Vulnerable
DOS exploit found in Kaspersky Internet Security 2010 and Kaspersky AntiVirus 2010
A recent security report from Maksymilian Arciemowicz presented on the SecurityReason website details how remote users could crash PCs running
Kaspersky-owned products. Pointing the antivirus to parse a URL, the users' CPU can be tricked to consume excessive resources and eventually crash.
The vulnerability affects
Kaspersky Internet Security 2010 9.0.0.459 antivirus and its brother, the
Kaspersky Antivirus 2010 9.0.0.463 version. The exploit was discovered on August 18th 2009, Kaspersky not being able to release a security update patch to this problem at the time when this article was written (check for updates at the bottom of the page).
The problem with these two antivirus versions appears when parsing a URL address. Using a lot of consecutive dots inside the address, the Kaspersky native avp.exe process will soar CPU usage up to 100%. At first, traffic via the browser will get blocked, and eventually, if enough consecutive dots have been passed inside the URL address, the computer will crash.
This exploit can be used inside HTML files, as normal href values or as img image sources. It will also work inside HTML email bodies. The code can be used remotely, and will lead to a denial-of-service that could alter computer hardware or software.
According to Maksymilian Arciemowicz, “The main problem exists in parsing url addresses […] Relativistic time to return to normal behavior is very long. In practice, when we give a large number of dots, kaspesky will not return to normal behavior.” He also added that, “This example will denial access to the browser and other kaspersky operations […] The user who executed the code above, will be deprived of the possibility of browsing and successive reset the Kaspersky.”
SecurityReason has classified this DOS attack vulnerability as a medium threat to PC users. Details and code exploit examples can be found at this
link.
