back to article Gloves on as Googler deposits foul zero-day on Kaspersky lawn

Google security man Tavis Ormandy has revealed a dangerous remote zero day vulnerability in Kaspersky kit that grants attackers system privileges. The bug is a remote "zero interaction" buffer overflow affecting default installation configurations of the latest anti-virus software versions. "So, about as bad as it gets," …

  1. Ole Juul

    Love the smell of zero day in the morning.

    "[This] clearly makes it difficult as possible for a corporation to put together a response for concerned users," Cluley says.

    Should that not read "an unconcerned corporation to put together a response for concerned users"? Sorry if it's inconvenient, but after all this is the work they get paid for.

    1. Destroy All Monsters Silver badge
      Headmaster

      Re: Love the smell of zero day in the morning.

      If they get paid for it, they ARE concerned.

      This is how capitalism works.

      If they are paid for it and are UNCONCERNED, you have a government service.

      1. Ole Juul

        Re: Love the smell of zero day in the morning.

        It was Cluley who was bitching about having to work on the weekend. Kaspersky is obvious concerned and rising to the occasion.

        1. Tom 13

          Re: It was Cluley who was bitching

          No. It was Cluely who was noting that BECAUSE it was a US HOLIDAY weekend, many US corporate staff were likely to be less available than they would on a regular weekend.

  2. Frank Zuiderduin

    RU != US

    Why would a public holiday which is only celebrated on that particular day in the US bother corporations in the rest of the world? Yesterday wasn't Labour day anywhere else (except Canada, if I'm not mistaken).

    1. Anonymous Coward
      Anonymous Coward

      Re: RU != US

      Public holiday aside. The more interesting is the double standard when US corporations are given 90 days by policy (which they still think is not enough) and the ENEMY is given a nice rounded ZERO.

      Now, anyone complaining that the ENEMY starts to treat us as an ENEMY after that should just go STFU.

  3. psychonaut

    A bit shitty though

    Why go public before they have time to patch it?

    1. ratfox

      Re: A bit shitty though

      That I understand, it's just the existence of the vulnerability that was disclosed, not the vulnerability itself. That can be announced before; it even serves as a heads-up that a fix is coming imminently.

      1. psychonaut

        Re: A bit shitty though

        ah, right, sorry i read it as theyd released the flaw

    2. Busby

      Re: A bit shitty though

      Not sure about Kaspersky but lots of companies don't patch or certainly not quickly when informed of a vulnerability. Publicly disclosing it exists is a good way of forcing the hand of corporations as a little public shaming can go a long way in ensuring the patch gets proper priority and resources.

  4. Anonymous Coward
    Anonymous Coward

    Sophos' responsible-disclosure die hard Graham Cluley,

    Didn't Cluley leave Sophos some time ago?

  5. Anonymous Coward
    FAIL

    Dear Google....

    ...still waiting for the patch for all the security flaws in my 2 year old Android phone. Thanks.

    1. Pascal Monett Silver badge

      Re: Dear Google....

      Android phone updates are a mess. In many cases, Google patches, but the carriers don't push the update because they have to go and rebuild their messy, bloatware-filled version every time and carriers don't want to spend money on that.

    2. Anonymous Coward
      Anonymous Coward

      Re: Dear Google....

      "2 year old Android phone"

      Is it a Google Nexus Phone or a PE phone? If so they should have all the fixes already, if not then surely it is up to the manufacturer to fix the issues that Google have provided the patches for. As the manufacturer and the carrier has to put out the fix, surely it would then be their responsibility?

  6. Adam 1

    What happened to 90 days?

  7. Alan Brown Silver badge

    "What happened to 90 days?"

    Nothing. If you want to give 90 days then go right ahead and do so.

    If it happens to be a Volkswagon bug that's more than long enough for them to slap a gagging order on you.

    Back on topic: It's nice to see Kaspersky's response. No bitchiness, just getting on with the patch.

  8. TeeCee Gold badge
    Black Helicopters

    Oh dear!

    Somebody found the FSB's backdoor.

  9. Graham 32
    Headmaster

    Is it cold...

    ... or did you mean the gloves are OFF?

    Gloves on = fighting fair

    Gloves off = fighting dirty

  10. NikNakk

    To b fair to Kaspersky, the fix was announced and deployed within 24 hours of disclosure, and for end-users with automatic updates enabled (as they are by default), the patch will have been in place before this article was published. It also seems that Ormandy's public disclosure was sufficiently vague to have made exploitation in that brief window unlikely.

    Given that almost all software will be found at some point to have security vulnerabilities, if anything Kaspersky's rapid response has increased my respect for the company.

    1. dpeters11

      It was pushed out as a module update with virus definitions, so even Enterprise users should have it now.

  11. Tikimon

    Kaspersky did NOT deserve the public disclosure

    Kaspersky labs (in spite of many attempts to slime them in the press) are always up-front and responsive to any concerns or problems in their products. The notion of "go public so something is done" is total BS in this case. The only reason to go public first is so Ormandy can publicly beat his chest. If he notifies Kaspersky first, they fix it and he loses his thunder.

    Shame on Ormandy for his cheap shot for public credit.

    Kudos to Kaspersky Labs for their usual quick and sincere response... and also for not calling Ormandy out for the attention-grabbing stab in the back.

  12. x 7

    Putin's going to need a new back door now

  13. TomG

    This is 2017.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like