Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Avast
Avast disables JavaScript engine in its antivirus following major bug
Message
<blockquote data-quote="Antus67" data-source="post: 865010" data-attributes="member: 83595"><p>Vulnerability would have allowed attackers to take over computers running the Avast antivirus. </p><p></p><p>Czech antivirus maker Avast has taken the extreme step of disabling a major component of its antivirus product after a security researcher found a dangerous vulnerability that put all of the company's users at risk.</p><p></p><p>The security flaw was found in Avast's JavaScript engine, an internal component of the Avast antivirus that analyzes JavaScript code for malware before allowing it to execute in browsers or email clients.</p><p></p><p>"Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage," said Tavis Ormandy, a security researcher at Google.</p><p></p><p>Any vulnerabilities in this process are critical, and easily accessible to remote attackers," Ormandy said on Monday when he also <a href="https://github.com/taviso/avscript" target="_blank">released a tool</a> that he used to analyze the company's antivirus.</p><p></p><p><span style="font-size: 18px"><strong>EXPLOITATION WAS TRIVIAL</strong></span></p><p>Exploiting this type of bug is trivial. All it would take is sending a user a malicious JS or WSH file via email, or tricking a user into accessing a boobytrapped file with malicious JavaScript code.</p><p></p><p>Ormandy argues that once the Avast antivirus would download and run the malicious JavaScript code inside its own custom engine, malicious operations could be executed on the user's computer, with SYSTEM-level access.</p><p></p><p>For example, using this bug, attackers would have the ability to install malware on an Avast user's device.</p><p></p><p><span style="font-size: 18px"><strong>AVAST NOTIFIED LAST WEEK</strong></span></p><p></p><p>While Avast knew of the bug for almost a week, the company had yet to patch the issue, and earlier today, decided to disable its antivirus' JavaScript scanning capabilities until a patch would be ready.</p><p></p><p>Contacted by ZDNet for comment, the Czech company provided the following statement on the series of events that led to today's drastic measure.</p><p></p><p>"<em>Last Wednesday, March 4, Google vulnerability researcher Tavis Ormandy reported a vulnerability to us affecting one of our emulators. The vulnerability could have potentially been abused to carry out remote code execution.</em></p><p><em></em></p><p><em>On March 9, he released a tool to greatly simplify vulnerability analysis in the emulator.</em></p><p><em></em></p><p><em>We have fixed this by disabling the emulator, to ensure our hundreds of millions of users are protected from any attacks. This won't affect the functionality of our AV product, which is based on multiple security layers</em>."</p><p></p><p>There is no current timeline for when a patch would be ready.</p><p></p><p>Ormandy discovered the Avast antivirus bug using a tool he developed in 2017 that allows him to <a href="https://www.bleepingcomputer.com/news/software/google-expert-ports-windows-defender-to-linux-to-showcase-new-tool/" target="_blank">port Windows DLL files to Linux</a>, where automated fuzzing and other security tests can be carried out more easily.</p><p></p><p>Source: <a href="https://www.zdnet.com/article/avast-disables-javascript-engine-in-its-antivirus-following-major-bug/" target="_blank">Avast disables JavaScript engine in its antivirus following major bug | ZDNet</a></p></blockquote><p></p>
[QUOTE="Antus67, post: 865010, member: 83595"] Vulnerability would have allowed attackers to take over computers running the Avast antivirus. Czech antivirus maker Avast has taken the extreme step of disabling a major component of its antivirus product after a security researcher found a dangerous vulnerability that put all of the company's users at risk. The security flaw was found in Avast's JavaScript engine, an internal component of the Avast antivirus that analyzes JavaScript code for malware before allowing it to execute in browsers or email clients. "Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage," said Tavis Ormandy, a security researcher at Google. Any vulnerabilities in this process are critical, and easily accessible to remote attackers," Ormandy said on Monday when he also [URL='https://github.com/taviso/avscript']released a tool[/URL] that he used to analyze the company's antivirus. [SIZE=5][B]EXPLOITATION WAS TRIVIAL[/B][/SIZE] Exploiting this type of bug is trivial. All it would take is sending a user a malicious JS or WSH file via email, or tricking a user into accessing a boobytrapped file with malicious JavaScript code. Ormandy argues that once the Avast antivirus would download and run the malicious JavaScript code inside its own custom engine, malicious operations could be executed on the user's computer, with SYSTEM-level access. For example, using this bug, attackers would have the ability to install malware on an Avast user's device. [SIZE=5][B]AVAST NOTIFIED LAST WEEK[/B][/SIZE] While Avast knew of the bug for almost a week, the company had yet to patch the issue, and earlier today, decided to disable its antivirus' JavaScript scanning capabilities until a patch would be ready. Contacted by ZDNet for comment, the Czech company provided the following statement on the series of events that led to today's drastic measure. "[I]Last Wednesday, March 4, Google vulnerability researcher Tavis Ormandy reported a vulnerability to us affecting one of our emulators. The vulnerability could have potentially been abused to carry out remote code execution. On March 9, he released a tool to greatly simplify vulnerability analysis in the emulator. We have fixed this by disabling the emulator, to ensure our hundreds of millions of users are protected from any attacks. This won't affect the functionality of our AV product, which is based on multiple security layers[/I]." There is no current timeline for when a patch would be ready. Ormandy discovered the Avast antivirus bug using a tool he developed in 2017 that allows him to [URL='https://www.bleepingcomputer.com/news/software/google-expert-ports-windows-defender-to-linux-to-showcase-new-tool/']port Windows DLL files to Linux[/URL], where automated fuzzing and other security tests can be carried out more easily. Source: [URL="https://www.zdnet.com/article/avast-disables-javascript-engine-in-its-antivirus-following-major-bug/"]Avast disables JavaScript engine in its antivirus following major bug | ZDNet[/URL] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
