The ACL on %PROGRAMDATA%\Kaspersky Lab allows BUILTIN\Users to create new files. This can be abused to create new plugins and modules during update, and other filesystem races to gain elevated privileges.

C:\Users\Tavis Ormandy>icacls "%PROGRAMDATA%\Kaspersky Lab"
C:\ProgramData\Kaspersky Lab NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                             BUILTIN\Administrators:(I)(OI)(CI)(F)
                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                             BUILTIN\Users:(I)(OI)(CI)(RX)
                             BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

An example attack is to find the MD5 of an upcoming update, create a DLL at Cache\qscan.kdl.{md5} that does something in DllMain. The next time Kaspersky updates, avp.exe will spawn load the file.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.