19.5 C
New York
Friday, Oct 23, 2020
Image default
Antivirus

Avast's Secure Web Browser Was Anything But Safe

Antivirus software packages often include custom-built “secure” Web browsers to be used when navigating banking and shopping sites. But secure browsers can be more trouble than they’re worth, as proved by Avast’s own Avastium browser, which exposed users’ computers to data theft.

Image: Volt Collection / ShutterstockImage: Volt Collection / ShutterstockWhile modifying Google’s open-source Chromium browser into Avastium, Avast removed a safeguard that stopped a Web server from remotely accessing local (i.e., non-Internet) files or running local commands on a client’s (i.e., your) browser. Without that safeguard, Chromium’s Developer Tools made it possible for the Web server to remote run malicious JavaScript code in a client’s browser.

Once a site containing malicious code — which could be embedded in an ad, iFrame or a number of other ways — was opened on a PC that happened to have Avast installed, an attacker controlling the malicious code could launch the Avastium browser on the client machine and use it to browse the computer’s files — including passwords, bank statements, love letters, naughty pictures and so on.

MORE: Best Antivirus Protection for PC, Mac and Android

Most Web browsers can browse and view files (type “file:///C:/” into an address bar to see for yourself), but are only meant to do so locally, i.e. on the same computer or local network. Avast’s mistake was that it allowed Avastium to do so across the Internet.

Since Avastium imports user profiles from Chrome when Avast’s software is installed, all Chrome users are vulnerable to the attack, not just those who actively use Avastium. This flaw was discovered by Travis Ormandy, a Google security researcher who recently found flaws in other brands of antivirus software, including AVG, Comodo, Malwarebytes and Trend Micro.

Ormandy posted a proof-of-concept demonstration for the exploit online, which, if you have Avast software installed, will print out the contents of your C: drive to demonstrate how easily access can be gained. He reported the bug to Avast when he discovered it in December 2015, and only released news of the flaw to the public after it was patched on Wednesday (Feb. 3). Avast antivirus users should make sure their installations of the software are up to date with version 2016.11.1.2253. 

  • 7 Easy Ways to Get Your Identity Stolen
  • 10 Worst Data Breaches of All Time
  • Your Router’s Security Stinks: Here’s How to Fix It

Related posts

Hey, Stupid! How Not to Get Hacked

Onlineservice

Microsoft No Longer Provides Worst Windows 7 Security

Onlineservice

McAfee Paid Antivirus Worse Than Free Microsoft Software

Onlineservice

Leave a Comment