SSL certificate validation flaw discovered in Kaspersky AV software
Tavis Ormandy continues his war on buggy antivirus software, as the Google Project Zero researcher reported two serious vulnerabilities, including an SSL certificate validation flaw, in Kaspersky Lab's popular antivirus offering.
Ormandy reported the vulnerabilities to the vendor in November, and Kaspersky released fixes for both on Dec. 28, though publication of the flaws was "slightly delayed due to the holidays," according to the issue reports.
The more serious of the two vulnerabilities, which is rated critical by Project Zero, involves an SSL certificate validation bug that allows an attacker to easily execute man-in-the-middle attacks by brute-forcing a collision between a valid certificate and a malicious certificate.