A vulnerability in Avast’s SafeZone tool allowed attackers to read any file on the system by getting the victim to click on a link, Google researcher Tavis Ormandy revealed on Thursday.
SafeZone, also known as Avastium, is a Chromium fork designed to protect Avast users’ data when they shop or bank online. The tool is included in Avast’s Premier, Internet Security and Pro Antivirus products.
Ormandy discovered in mid-December that unlike Chromium, which only allows WebSafe URLs on the command line, SafeZone allowed any URL without restriction. By removing this security check, the Avast tool permitted attackers to gain additional privileges and conduct various actions on the system.
If an attacker could convince a victim to visit a malicious URL, they could launch Avastium and gain complete control of the application. The Google expert pointed out that an attack could have worked even if the victim had never used Avastium.
“[The vulnerability] allows an attacker to read any file on the filesystem by clicking a link. You don’t even have to know the name or path of the file, because you can also retrieve directory listings using this attack. Additionally, you can send arbitrary *authenticated* HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on,” Ormandy said.
The flaw was reported to Avast on December 18 and the vendor released a temporary mitigation designed to break the exploit chain on December 28. A proper patch was delivered to customers on February 3 with the release of Avast 2016 build 2016.11.1.2253.
SafeZone is not the only Chromium-based antivirus browser found to be vulnerable by Ormandy. The expert reported earlier this week that Comodo’s Chromodo browser disabled same origin policy (SOP), effectively breaking web security, and, in January 2015, he criticized WhiteHat Security’s Aviator browser.
Other experts agree that many antivirus browsers are not as secure as they’re advertised.
With regard to “secure browsers” implemented by AVs: in general, do not ever use your AV’s supplied browser. I’ve analyzed 3. All broken.
— Joxean Koret (@matalaz) February 3, 2016
Ormandy previously discovered serious vulnerabilities in the products of security companies Malwarebytes, Trend Micro, Kaspersky Lab, AVG, and FireEye.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Zyxel Firewalls Hacked by Mirai Botnet
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
- Drop in Insider Breaches Drives Decline in Intrusions at OT Organizations
- Zero-Day Vulnerability Exploited to Hack Barracuda Email Security Gateway Appliances
- OAuth Vulnerabilities in Widely Used Expo Framework Allowed Account Takeovers
- New Honeywell OT Cybersecurity Solution Helps Identify Vulnerabilities, Threats
- Rheinmetall Says Military Business Not Impacted by Ransomware Attack
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
