Vulnerabilities – to disclose or not to disclose?

I thought I’d blog today because of the interest that some Internet users are showing in a so-called vulnerability in KIS 6.0.

We know that there’s a glitch in the handling of specially crafted HTTP requests. And we’ll be putting out a hotfix to correct it.

However, whether this is really a vulnerability – much less a critical one, as was announced on certain discussion lists on the Internet – is another question. Calling it a critical vulnerability isn’t really accurate – the only malicious action that this vulnerability can be used for is the download of a malicious program. Although this file, when downloaded, bypasses the Web antivirus monitor, the file is detectable by our products, and cannot be activated once downloaded.

Added to this, we know that the most commonly used browsers such as Internet Explorer, Mozilla Firefox and Opera never send requests to servers in this form. A request crafted in this way can only be launched outside the browser by another malicious program, one which we classify as a Trojan-Downloader. Such a combination of circumstances is extremely unlikely. However, even if the malicious file is downloaded successfully, it doesn’t present any serious threat the user as it will be blocked by other KIS 6.0 modules.

It’s great that this loophole has been identified. But I’m a bit surprised at the way in which it was made public. Surprising, because everyone – including the original poster – in the security world should be aware of the unwritten rules of vulnerability disclosure: when a vulnerability is detected, the developers of the affected software should be informed BEFORE details of the vulnerability are made public. The developers then usually have at least 7 days to respond and/or patch the error before the vulnerability is disclosed to the public. The person who posted information about the HTTP handling issue on the internet didn’t contact us first. As I said above, this is surprising, and even a bit depressing.

So, a message to all our blog readers: if you find glitches, vulnerabilities, or anything untoward in any Kaspersky Lab products – contact us! It’ll help us fix the issue quicker, and ensure that you remain protected.

Vulnerabilities – to disclose or not to disclose?

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox