Quis custodiet ipsos custodes?

Or, if your Latin is a bit rusty, “who is guarding the guards themselves”? This was actually my first thought when I’ve read an article published by Heise Online. Apparently, popular security software from Kaspersky Lab, including at least their Internet Security and Antivirus, is still susceptible to the now-well-known POODLE exploit, which allows hackers to perform a man-in-the-middle attack on an SSL 3.0 connection by downgrading the level of encryption and effectively breaking its cryptographic security.

When this vulnerability was published in September, many security researchers called for immediate demise of SSL 3.0, which is a very outdated and in many aspects weak protocol, however quite a lot of older software still doesn’t support TLS, its modern replacement. At the end, many web services, as well as all major browser vendors have implemented some sort of protection against the exploit, either by disabling SSL 3.0 completely or by preventing downgrade attacks using TLS_FALLBACK_SCSV. For a couple of months, we felt safe again.

Well, turns out that getting rid of POODLE isn’t as easy as we thought – it’s not enough to harden both ends of the communication channel, you have to think about the legitimate “men-in-the-middle” as well, which can still be unpatched and vulnerable. This is exactly what happened to Kaspersky’s security products: as soon as the option “Scan encrypted connections” is enabled, they will intercept an outgoing secure connection, decrypt and analyze its content, and then reestablish a new secure connection to the appropriate website. Unfortunately, this new connection is still using SSL 3.0, ready to be exploited.

Think of it: even if you have the latest browser that explicitly disables SSL 3.0, your antivirus software would secretly make your security worse without letting you know (your browser will be connecting to the local proxy using new TLS protocol, which looks perfectly safe). Just like I was writing regarding the Heartbleed bug in April: “there is a fundamental difference between being hacked because of ignoring security best practices and being hacked because our security tools are flawed”. The latter not only adds insult to injury, it can severely undermine user’s trust in security software, which at the end is bad for everyone, even the particular vendor’s competitors.

The problem seems to be originally discovered by a user who posted his findings on Kaspersky’s support forum. I must admit I find the support engineer’s reply very misleading: the SSL vulnerability is by no means irrelevant, and one can imagine multiple scenarios where it could lead to sensitive data leaks.

Well, at least, according to Heise, the company is working on a patch already, which will be released sometime in January. Until then you should think twice before enabling this option: who is going to protect your antivirus after all?


Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

Compliance, Risk & Security Learn more

Compliance, Risk & Security

Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided. Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security. The decisive factors are transparency, controllability and influenceability of the service provider and his [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00