Kaspersky allegedly sabotaged rivals; Salesforce plugs security flaw; Lenovo laptops' dodgy firmware

Former employees of Kaspersky Lab have claimed that the company tried to damage rival antimalware vendors by tricking the rivals’ antivirus software into identifying benign files as malicious, according to a Reuters report.

The ex-employees reportedly said that the secret campaign to trick rivals’ software targeted Microsoft, AVG, Avast and others.

Reuters said that the former Kaspersky Lab staff claimed that some of the attacks in the campaign were ordered by Kaspersky’s co-founder, Eugene Kaspersky.

The antimalware company reportedly denies it tried to trick rivals with false positives. The Register quoted a Kaspersky Lab statement as saying: “Kaspersky Lab has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing. Such actions are unethical, dishonest and illegal.”

The statement continued: “Accusations by anonymous, disgruntled ex-employees that Kaspersky Lab, or its CEO, was involved in these incidents are meritless and simply false.”

Salesforce patches XSS flaw

Salesforce has reportedly patched a vulnerability that could have allowed attackers to take over Salesforce users’ accounts, or force Salesforce users to download malicious code onto their computers.

The vulnerability was purportedly uncovered by cloud security company Elastica. The company’s Aditya K Sood explained the vulnerability in a blog post.

“Recently, Elastica Cloud Threat Labs discovered a security issue in one of the subdomains of Salesforce used for blogging purposes,” Sood wrote. “This vulnerability in ‘admin.salesforce.com’ could have been exploited by attackers to hijack Salesforce accounts or to distribute malicious code to the users.”

Sood explained that the “subdomain was vulnerable to a reflected Cross-site Scripting (XSS) vulnerability where a specific function in the deployed application failed to sanitize and filter the arbitrary input passed by the remote user as a part of an HTTP request”.

“As a result, the attacker could have executed JavaScript in the context of the application, thereby impacting the privacy and security of Salesforce users. Furthermore, all Salesforce accounts for different applications (including cloud) were at risk because Salesforce uses Single Sign On (SSO) for managing multiple accounts,” Sood wrote.

Sood said the vulnerability was disclosed to Salesforce “more than a month ago”. But according to SC Magazine UK, Salesforce patched the vulnerability just two days before Elastica went public with details of the vulnerability.

Lenovo BIOSs vulnerable

PC manufacturer Lenovo embedded apparently insecure software in the firmware of some of its products, according to technology website Ars Technica.

Ars said that Lenovo used a feature of Windows 8 and 10 to embed the software.

“PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed,” Ars explained.

The tech website said that the company dubbed the feature the ‘Lenovo Service Engine’ (LSE), and that between October 2014 and April 2015, Lenovo used the feature to preinstall software on some of its products.

Ars said that on Lenovo laptops, LSE installs ‘OneKey Optimizer’ (OKO) software that the manufacturer bundles on some of its machines. This is problematic, according to Ars, because “LSE and/or OKO appear to be insecure”.

“Security issues, including buffer overflows and insecure network connections, were reported to Lenovo and Microsoft by researcher Roel Schouwenberg in April,” the tech website said.

Lenovo has acknowledged that LSE could be exploited.

“Along with [Roel Schouwenberg], Lenovo and Microsoft have discovered possible ways [LSE] could be exploited in the Lenovo Notebook implementation by an attacker, including a buffer overflow attack and an attempted connection to a Lenovo test server,” Lenovo said in a statement.

The manufacturer said that it has made available new BIOS firmware for some of its consumer PCs that eliminated a security vulnerability linked to LSE. The company recommended that customers update their systems with the new BIOS firmware.

The company said: “Starting in June, the new BIOS firmware has been installed on all newly manufactured Lenovo consumer notebook and desktop systems.”

It also said that “LSE is no longer being installed on Lenovo systems”.

A list of Lenovo products affected by the vulnerability is available here.

Image courtesy David Orban under CC