“That service loads the low level antivirus engine, and analyzes untrusted data received from sources like the filesystem minifilter or intercepted network traffic,” Tavis Ormandy, the Google security researcher who discovered the vulnerability, explains.
Despite being a high-privilege process running untrusted input, the emulator was not sandboxed and also had poor mitigation coverage, Ormandy discovered.
“Any vulnerabilities in this process are critical, and easily accessible to remote attackers,” the researcher revealed.
Ormandy also discovered that, while Avast’s solution was employing heuristics to activate the interpreter only for specific files, it was possible to trigger the heuristic using a specially crafted file.
Earlier this week, the researcher released a tool to allow for vulnerability analysis in the emulator, warning that any issues discovered would likely be “critical and wormable.”
Two days later, Avast decided to disable the emulator globally, to ensure that it does not pose a security threat to users.
“Last week, [Tavis Ormandy] reported a vulnerability to us in one of our emulators, which in theory could have been abused for RCE. On [March 9] he released a tool to simplify vuln. analysis in the emulator. Today, to protect our hundreds of millions of users, we disabled the emulator,” Avast announced.
The security firm also noted that the disabling of the emulator would have no impact on the functionality of the anti-virus product, which raised questions on why such an insecure tool was included in the product in the first place.
Ormandy, who pointed out that the issue was discovered in collaboration with Google Project Zero researcher Natalie Silvanovich, underlined the fact that Avast’s decision would significantly reduce the attack surface.
Earlier this week, Avast and security researcher David Eade publicly disclosed information on a series of issues in the Avast AntiTrack solution that could have been abused to perform man-in-the-middle (MitM) attacks on HTTPS traffic.
Related: Avast AntiTrack Flaw Allows MitM Attacks on HTTPS Traffic
Related: Avast, Avira Products Vulnerable to DLL Hijacking
Related: Avast Discloses New Supply-Chain Attack Attempt