Kaspersky Online Protection API is vulnerable to website abuse

The vulnerabilities in Kaspersky software have left an internal API open to webmaster abuse, and so far patch attempts have failed.

Software developer Wladimir Palant documented the story that began after examining the functionality of Kaspersky Web Protection included in software such as Kaspersky Internet Security 2019. The online protection feature includes analysis of search results to exclude potentially malicious links, block ads and avoid tracking.

Last December, the developer identified a series of vulnerabilities and security problems in the web protection function that any website could activate.

Web protection must be able to communicate with Kaspersky's main application, and a "secret" signature value, theoretically unknown to web domains, must be activated to ensure secure communication. However, a vulnerability allowed websites to "relatively easily" identify this key and "log in to the Kaspersky application and send commands as Web protection would."

The Chrome and Firefox extensions use native messages to obtain the signature while Internet Explorer reads the script injection. Without a browser extension, Kaspersky will integrate your scripts directly into websites. This is where the first security problem occurred, CVE-2019-15685, caused by the misuse of URL Advisor and the frames to extract the signature.

Once the error was reported, Kaspersky developed a solution in July 2019 by blocking access to certain features of the 2020 product websites. However, other orders can also be accepted, for example. B. list the websites in ad blockers. A new problem also occurred due to patch failure. Websites were able to access user system data, including unique identifiers of Kaspersky installation on a PC.

This accidentally introduced data leak was not the end of the story. According to Palant, the solution also introduced a new vulnerability that could be used to cause a blockage in the antivirus protection process and compromise the systems reported as CVE-2019-15686.

The cybersecurity company then tried another solution to correct data leakage and "mainly" solve the problem of blocking. Websites could no longer be blocked, but browser extensions or local applications could.

A new patch has been developed and will be available on November 28. However, given an alternative approach to expanding scripts, the developer does not trust when it really tries to solve the problem.

Kaspersky has resolved security issues in the web protection component of its products and product extensions for Google Chrome. These security concerns have been resolved in patches 2019 I, J and 2020 E, F, which were provided to users through automatic update procedures.

It may be necessary to restart to apply these updates. The company also recommends that users ensure that Kaspersky web browser protection extensions are installed and enabled.