Kaspersky Lab’s Internet Security 2013 product contains a bug that can be exploited remotely, especially on local networks, to completely freeze the operating system on computers running the software.
The bug can be attacked by sending a specifically crafted IPv6 (Internet Protocol version 6) packet to computers running Kaspersky Internet Security 2013 and other Kaspersky products that have the firewall functionality, security researcher Marc Heuse said this week in an advisory published on the Full Disclosure mailing list.
“A fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system,” he said. “No log message or warning window is generated, nor is the system able to perform any task.”
IPv6 support is enabled by default for network interfaces in Windows Vista and later, as well as in many Linux distributions and in Mac OS. IPv6 adoption on the Internet is relatively low at the moment so the number of computers that are publicly accessible over IPv6 is not very high. However, most computers are accessible over IPv6 on local networks and have local IPv6 addresses assigned to them by default.
Reported bug, then released exploit
Heuse claims that he reported the bug to Kaspersky Lab on January 21 and again on February 14, but received no feedback from the company so he decided to disclose it publicly. In addition to the advisory he also published a proof-of-concept tool that can exploit the bug.
Kaspersky Lab acknowledged the existence of the issue for Kaspersky Internet Security 2013. “After receiving feedback from the researcher, Kaspersky Lab quickly fixed the error,” the company said via email. “A private patch is currently available on demand and an autopatch will soon be released to fix the problem automatically on every computer protected by Kaspersky Internet Security 2013.”
Although the issue is valid, there was no threat of malicious activity affecting the computers of any users who experienced the rare problem, the company said. “Actions have been taken to prevent such incidents from occurring in the future,” it said.
The company could not immediately confirm whether any other of its products are affected as well.