A vulnerability in Avast’s SafeZone tool allowed attackers to read any file on the system by getting the victim to click on a link, Google researcher Tavis Ormandy revealed on Thursday.
SafeZone, also known as Avastium, is a Chromium fork designed to protect Avast users’ data when they shop or bank online. The tool is included in Avast’s Premier, Internet Security and Pro Antivirus products.
Ormandy discovered in mid-December that unlike Chromium, which only allows WebSafe URLs on the command line, SafeZone allowed any URL without restriction. By removing this security check, the Avast tool permitted attackers to gain additional privileges and conduct various actions on the system.
If an attacker could convince a victim to visit a malicious URL, they could launch Avastium and gain complete control of the application. The Google expert pointed out that an attack could have worked even if the victim had never used Avastium.
“[The vulnerability] allows an attacker to read any file on the filesystem by clicking a link. You don't even have to know the name or path of the file, because you can also retrieve directory listings using this attack. Additionally, you can send arbitrary *authenticated* HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on,” Ormandy said.
The flaw was reported to Avast on December 18 and the vendor released a temporary mitigation designed to break the exploit chain on December 28. A proper patch was delivered to customers on February 3 with the release of Avast 2016 build 2016.11.1.2253.
SafeZone is not the only Chromium-based antivirus browser found to be vulnerable by Ormandy. The expert reported earlier this week that Comodo’s Chromodo browser disabled same origin policy (SOP), effectively breaking web security, and, in January 2015, he criticized WhiteHat Security’s Aviator browser.
Other experts agree that many antivirus browsers are not as secure as they’re advertised.
With regard to "secure browsers" implemented by AVs: in general, do not ever use your AV's supplied browser. I've analyzed 3. All broken.
— Joxean Koret (@matalaz) February 3, 2016