Vulnerabilities > Kaspersky LAB

DATE CVE VULNERABILITY TITLE RISK
2009-12-29 CVE-2009-4452 Permissions, Privileges, and Access Controls vulnerability in Kaspersky LAB products
Kaspersky Anti-Virus 5.0 (5.0.712); Antivirus Personal 5.0.x; Anti-Virus 6.0 (6.0.3.837), 7 (7.0.1.325), 2009 (8.0.0.x), and 2010 (9.0.0.463); and Internet Security 7 (7.0.1.325), 2009 (8.0.0.x), and 2010 (9.0.0.463); use weak permissions (Everyone:Full Control) for the BASES directory, which allows local users to gain SYSTEM privileges by replacing an executable or DLL with a Trojan horse.
local
low complexity
kaspersky-lab CWE-264
6.8
2009-02-10 CVE-2009-0449 Buffer Errors vulnerability in Kaspersky LAB Kaspersky Anti-Virus 2008/6.0
Buffer overflow in klim5.sys in Kaspersky Anti-Virus for Workstations 6.0 and Anti-Virus 2008 allows local users to gain privileges via an IOCTL 0x80052110 call.
local
low complexity
kaspersky-lab CWE-119
7.2
2008-12-11 CVE-2008-5426 Resource Management Errors vulnerability in Kaspersky LAB Kaspersky Internet Security Suite 2009
Kaspersky Internet Security Suite 2009 does not properly handle (1) multipart/mixed e-mail messages with many MIME parts and possibly (2) e-mail messages with many "Content-type: message/rfc822;" headers, which allows remote attackers to cause a denial of service (stack consumption or other resource consumption) via a large e-mail message, a related issue to CVE-2006-1173.
4.3
2008-06-05 CVE-2008-1518 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Kaspersky LAB Kaspersky Anti-Virus and Kaspersky Internet Security
Stack-based buffer overflow in kl1.sys in Kaspersky Anti-Virus 6.0 and 7.0 and Internet Security 6.0 and 7.0 allows local users to gain privileges via an IOCTL 0x800520e8 call.
local
low complexity
kaspersky-lab CWE-119
7.2
2007-10-12 CVE-2007-3675 USE of Externally-Controlled Format String vulnerability in Kaspersky LAB Online Scanner
Multiple format string vulnerabilities in the kavwebscan.CKAVWebScan ActiveX control (kavwebscan.dll) in Kaspersky Online Scanner before 5.0.98 allow remote attackers to execute arbitrary code via format string specifiers in "various string formatting functions," which trigger heap-based buffer overflows.
network
kaspersky-lab CWE-134
critical
9.3
2007-09-26 CVE-2007-5086 Improper Input Validation vulnerability in Kaspersky LAB Kaspersky Anti-Virus and Kaspersky Internet Security
Kaspersky Anti-Virus (KAV) and Internet Security 7.0 build 125 do not properly validate certain parameters to System Service Descriptor Table (SSDT) and Shadow SSDT function handlers, which allows local users to cause a denial of service (crash) via the (1) NtUserSendInput, (2) LoadLibraryA, (3) NtOpenProcess, (4) NtOpenThread, (5) NtTerminateProcess, (6) NtUserFindWindowEx, and (7) NtUserBuildHwndList kernel SSDT hooks in kylif.sys; the (8) NtDuplicateObject (DuplicateHandle) kernel SSDT hook; and possibly other kernel SSDT hooks.
local
low complexity
kaspersky-lab CWE-20
2.1
2007-09-24 CVE-2007-5043 Improper Input Validation vulnerability in Kaspersky LAB Kaspersky Internet Security 7.0.0.125
Kaspersky Internet Security 7.0.0.125 does not properly validate certain parameters to System Service Descriptor Table (SSDT) function handlers, which allows local users to (1) cause a denial of service (crash) and possibly gain privileges via the NtCreateSection kernel SSDT hook or (2) cause a denial of service (avp.exe service outage) via the NtLoadDriver kernel SSDT hook.
4.4
2007-08-08 CVE-2007-4206 Unspecified vulnerability in Kaspersky LAB Kaspersky Anti-Spam
Kaspersky Anti-Spam 3.0 MP1 before Critical Fix 2 (3.0.278.4) sets incorrect permissions for application files in certain upgrade scenarios, which might allow local users to gain privileges.
4.4
2007-07-19 CVE-2007-3906 Denial of Service vulnerability in Kaspersky Anti-Virus 5.5 for Check Point Firewall-1
Unspecified vulnerability in Kaspersky Anti-Virus for Check Point FireWall-1 before Critical Fix 1 (5.5.161.0) might allow attackers to cause a denial of service (kernel hang) via unspecified vectors.
network
low complexity
kaspersky-lab
5.0
2007-06-30 CVE-2007-3502 Authentication Bypass vulnerability in Kaspersky Anti-Spam Unauthorized Directory Access
Unspecified vulnerability in the web-based product configuration system in Kaspersky Anti-Spam before 3.0 MP1 allows remote attackers to obtain access to certain directories.
network
low complexity
kaspersky-lab
7.5