Opinion

Vulnerabilities – to disclose or not to disclose?

I thought I’d blog today because of the interest that some Internet users are showing in a so-called vulnerability in KIS 6.0.

We know that there’s a glitch in the handling of specially crafted HTTP requests. And we’ll be putting out a hotfix to correct it.

However, whether this is really a vulnerability – much less a critical one, as was announced on certain discussion lists on the Internet – is another question. Calling it a critical vulnerability isn’t really accurate – the only malicious action that this vulnerability can be used for is the download of a malicious program. Although this file, when downloaded, bypasses the Web antivirus monitor, the file is detectable by our products, and cannot be activated once downloaded.

Added to this, we know that the most commonly used browsers such as Internet Explorer, Mozilla Firefox and Opera never send requests to servers in this form. A request crafted in this way can only be launched outside the browser by another malicious program, one which we classify as a Trojan-Downloader. Such a combination of circumstances is extremely unlikely. However, even if the malicious file is downloaded successfully, it doesn’t present any serious threat the user as it will be blocked by other KIS 6.0 modules.

It’s great that this loophole has been identified. But I’m a bit surprised at the way in which it was made public. Surprising, because everyone – including the original poster – in the security world should be aware of the unwritten rules of vulnerability disclosure: when a vulnerability is detected, the developers of the affected software should be informed BEFORE details of the vulnerability are made public. The developers then usually have at least 7 days to respond and/or patch the error before the vulnerability is disclosed to the public. The person who posted information about the HTTP handling issue on the internet didn’t contact us first. As I said above, this is surprising, and even a bit depressing.

So, a message to all our blog readers: if you find glitches, vulnerabilities, or anything untoward in any Kaspersky Lab products – contact us! It’ll help us fix the issue quicker, and ensure that you remain protected.

Vulnerabilities – to disclose or not to disclose?

Your email address will not be published.

 

Reports

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox