kaspersky zero-day vulnerability Google
An employee works at the headquarters of security firm Kaspersky Labs in Moscow, Russia. A zero-day vulnerability. A recently discovered security flaw in the company's software was described as "about as bad as it gets" by a Google engineer Reuters

A zero-day vulnerability has been discovered within Kaspersky's antivirus software by a security researcher at Google. Tavis Ormandy, an information security engineer at Google, described the security flaw as "about as bad as it gets" after successfully exploiting the vulnerability.

The flaw was brought to the attention of Kaspersky after Ormandy tweeted an image of the vulnerability on Saturday (5 September). He later said that the glitch was "a remote, zero interaction SYSTEM exploit, in default config. So, about as bad as it gets."

Security expert Graham Cluley, who wrote about the vulnerability in his latest blogpost, questioned the timing of the disclosure. By posting it at the beginning of Labor Day weekend in the US, Cluley claimed Ormandy could have put users of the antivirus software at risk.

"His critics, of which I'm one, fear that he has sometimes put innocent users at risk by not working on a co-ordinated disclosure with the manufacturer of the vulnerable software, ensuring that all users are protected with a patch before details of how to exploit the flaw are made public," Cluley said.

What is a zero-day vulnerability

A zero-day vulnerability refers to a flaw in the software which is unknown to the manufacturer. Such security holes are susceptible to being exploited by hackers as there is usually a window between the flaw being found (day zero) and the vendor issuing a fix.

"One has to question the timing of Ormandy's announcement just before a long holiday weekend in the United States, which clearly makes it difficult as possible for a corporation to put together a response for concerned users. I supposed we should be grateful that he at least ensured that Ryan Naraine, a reporter at Kaspersky's Threatpost blog, was cc'd on the announcement."

Ormandy said that Kaspersky told him that a fix was going to be rolled out globally within 24 hours of the breach being reported. At the time of publication, Kaspersky had not responded to a request for comment from IBTimes UK.

UPDATE: Kaspersky has issued an official statement on the matter.

"We would like to thank Mr. Tavis Ormandy for reporting to us a buffer overflow vulnerability, which our specialists fixed within 24 hours of its disclosure. A fix has already been distributed via automatic updates to all our clients and customers. We're improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future. For instance, we already use such technologies as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

"Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable."

More about antivirus
Google