Using an SSL proxy that simplistically stored certificates , Kaspersky Anti-Virus left its users open to TLS certificate collisions . By Chris Duckett Google 's Project Zero has found Vulnerability-related.DiscoverVulnerability that it was previously trivial to create an SSL certificate collision thanks to Kaspersky using only the first 32 bits of an MD5 hash in its SSL proxy packaged with its Anti-Virus product . `` You do n't have to be a cryptographer to understand a 32-bit key is not enough to prevent brute-forcing a collision in seconds , '' Tavis Ormandy of Project Zero said in its issue tracker . `` They effectively proxy SSL connections , inserting their own certificate as a trusted authority in the system store and then replace all leaf certificates on the fly . This is why if you examine a certificate when using Kaspersky Anti-Virus , the issuer appears to be 'Kaspersky Anti-Virus Personal Root ' , '' he said . `` It seems incredible that Kaspersky have n't noticed that they sometimes get certificate errors for mismatching commonNames just by random chance . After Ormandy reported Vulnerability-related.DiscoverVulnerability the bug and received acknowledgement Vulnerability-related.DiscoverVulnerability from Kaspersky on November 1 , despite learning the security vendor was doing some commonName checks , the bug was still able to be exploited Vulnerability-related.DiscoverVulnerability . `` If you 're not being attacked , you would see random errors . A MITM [ man in the middle ] can send you packets from where you were expecting , '' Ormandy said on Twitter . Ormandy also found Vulnerability-related.DiscoverVulnerability another bug on November 12 that allowed any unprivileged user to become a local certificate authority . In May last year , the Project Zero security researcher discovered Vulnerability-related.DiscoverVulnerability that Symantec Antivirus Engine was vulnerable to buffer overflow when parsing malformed portable-executable header files that resulted in instant blue-screening and kernel memory corruption without user action on Windows . `` This is about as bad as it can possibly get , '' Ormandy said at the time . Because Symantec use a filter driver to intercept all system I/O , just emailing a file to a victim or sending them a link is enough to exploit it .