Gloves on as Googler deposits foul zero-day on Kaspersky lawn
Global patch makes for laborious long weekend
Google security man Tavis Ormandy has revealed a dangerous remote zero day vulnerability in Kaspersky kit that grants attackers system privileges.
The bug is a remote "zero interaction" buffer overflow affecting default installation configurations of the latest anti-virus software versions.
"So, about as bad as it gets," Ormandy said on Twitter.
Kaspersky has promised that patches will land within 24 hours of the public zero day disclosure. The company thanked Ormandy, but made no mention of the public disclosure.
"We're improving our mitigation strategies to prevent exploiting of inherent imperfections of our software in the future," the company said in a statement.
"Kaspersky Lab has always supported the assessment of our solutions by independent researchers. Their ongoing efforts help us to make our solutions stronger, more productive and more reliable."
The full disclosure irked security expert Graham Cluley, as it was dropped over the US Labor Day long weekend. A great many folk take advantage of the holiday to travel, making a rapid response harder than would be the case on most other weekends.
"[This] clearly makes it difficult as possible for a corporation to put together a response for concerned users," Cluley said.
"Nonetheless, one remains concerned that in the past malicious hackers have taken details of flaws published by Ormandy and used them in attacks."
Users and admins should apply the fixes as soon as possible. ®