A security researcher has uncovered a bug in Kaspersky’s Internet Security 2013 product which leaves users’ computers open for remote exploitation, which can result in a total operating system freeze.
Marc Heuse revealed the bug on the Full Disclosure website, explaining it allows individuals to connect to other computers remotely – particularly within local networks – and send an internet protocol version 6 (IPv6) packet to the computer with the potential to freeze the operating system without any warning or notification.
“If IPv6 connectivity to a victim is possible (which is always the case on local networks), a fragmented packet with multiple but one large extension header leads to a complete freeze of the operating system. No log message or warning window is generated, nor is the system able to perform any task,” said Heuse.
According to Heuse, he reported the bug to Kaspersky twice – once in January and once in February – but received no response, prompting him to reveal the bug on the public forum.
He has also posted instructions to test his claims on the Full Disclosure site.
Reports claim Kaspersky has acknowledged the bug and that a patch is available on request, with an automatic update to follow.
