Kaspersky and Absolute feud over vulnerability allegations

How hard are security companies expected to try to contact vendors before publishing reports that may cast their products in a bad light? The controversy ensuing from a report published last week by Kaspersky Lab revolves around this question.

The report alleges that Computrace, a product from rival vendor Absolute Software for securing enterprise devices, contains vulnerabilities that could be used by sophisticated attackers to remotely install malware on devices using the Computrace agent.

Absolute Software immediately rejected the claims, and griped that it was not contacted prior to publication. Kaspersky insists it reached out to the company via email but did not receive a reply.

Computrace is an anti-theft and security suite for enterprise computers, laptops and mobile devices. Kaspersky’s report alleges vulnerabilities in the Computrace agent, installed within the BIOS of laptops and desktops using the system.

The report claims the Computrace agent could potentially be used to deploy spyware implants. It also alleges that the agent includes mechanisms to prevent it from being removed even by administrators.

Another allegation is that the Computrace Small Agent does not require any encryption or authentication while communicating with a remote server, potentially allowing attackers to exploit this to trigger remote code execution.

Kaspersky said it initiated the research after its security researchers uncovered the Computrace agent running on their laptops without prior authentication.

Soon after Kaspersky published its report and issued a press release promoting it, Absolute Software denied the allegations. Absolute Software CTO Phil Gardner went on record saying the company “considers Kaspersky’s analysis flawed and rejects its conclusions.”

He said several of the claims made in the report derive from Kaspersky researchers having “misinterpreted” one of the features of the Computrace agent, Absolute Persistence Technology. This technology allows the agent to automatically rebuild itself if it is compromised by hackers.

“Absolute Computrace cooperates with all other means of securely modifying the system. It does not reject administrator’s commands to stop or be deleted. It doesn’t hide from anti-virus software, and it is not a root kit,” he said.

Gardner also disputed Kaspersky’s assertions that the system can be activated without prior consent and that it communicates with host servers over plain text during the authentication process.

“The installation process is under the full control of the Absolute Computrace administrator and once the installation is complete, the communication is secure and uses encryption as well as authentication of the host server to reject attacks as described in the Kaspersky report,” he said. “There is no clear text transmission of any data and the protocol of the full agent will reject attempts to communicate without authorisation.”

In another media statement, Absolute Software also asserted that, as far as the company was aware, it had “never been contacted by Kaspersky Lab in order to validate their research and provide technical insight. We’ve received no response from Kasperky Lab until the press release and report were published.”

Kaspersky Lab responded to Absolute by reiterating its assertion that its researchers had discovered the Computrace agent running on their laptops without prior authentication.

“The analysed laptops were purchased in 2012 in brand-new condition and with the top configurations available on the market. It quickly became alarming when our reverse engineering revealed weak implementation of the Computrace agent,” the company said in its own press statement.

“Although Absolute Computrace is a legitimate software, due to security weaknesses it can be used not as a protection tool, but as an instrument for cyber attacks. As a security company we believe it’s our job to warn people about potential serious risks hidden in Absolute Computrace.”

In the wake of Absolute’s complaints about the Kaspersky presentation, Kaspersky Lab expert Vitaly Kamluk also published a FAQ about the research on Kaspersky’s security portal Securelist. The FAQ includes a screenshot of an email which Kamluk said was sent to Absolute Software a week before the research was made public. The email details plans to announce the findings and also includes a draft copy of the report.

The screenshot shows the addresses security@absolute.com, info@absolute.com and rturner@absolute.com. Only the email sent to the first address bounced, meaning the others should have gotten through, Kamluk wrote. “[H]owever we have never received a formal response.”

Did Kaspersky have a social obligation to contact Absolute Software prior to publication, and did the email fulfil this obligation? James Turner, an IBRS advisor and chair of the 2013 Australian Information Security Association (AISA) Advocacy Group board, said he believes neither Kaspersky or Absolute come out of this story looking good.

“One would hope that the Kaspersky researchers did actually find a current problem to take this line in their report, but firing off an email and giving a vendor only a week to respond looks pretty amateur,” he said.

“I think most people reading this news would think that Kaspersky look like they've done a rush job on their report, and that doesn’t instil confidence in their findings or processes. Consequently, what choice does Absolute Software have, other than to respond with a blanket denial, which often looks like a whitewash.”

Turner said vulnerability disclosure is a complicated issue. “The industry absolutely needs to know about vulnerabilities in software so that people and organisations can take steps to defend themselves. But equally, it’s fair and reasonable to give a vendor a chance to do something about it themselves before they are named and shamed ... Communication isn't just throwing a corked bottle into the sea and expecting that someone should respond to it according to your time frame.”

Image courtesy of David Orban under CC