Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Vulnerability Prompts Avast to Disable Emulator Used by Antivirus

Avast this week disabled a JavaScript interpreter that is part of its antivirus product, after a security researcher discovered a vulnerability that could potentially lead to remote code execution.

The JavaScript interpreter was found to run unsandboxed, thus potentially exposing systems to attackers.

Avast this week disabled a JavaScript interpreter that is part of its antivirus product, after a security researcher discovered a vulnerability that could potentially lead to remote code execution.

The JavaScript interpreter was found to run unsandboxed, thus potentially exposing systems to attackers.

“That service loads the low level antivirus engine, and analyzes untrusted data received from sources like the filesystem minifilter or intercepted network traffic,” Tavis Ormandy, the Google security researcher who discovered the vulnerability, explains.

Despite being a high-privilege process running untrusted input, the emulator was not sandboxed and also had poor mitigation coverage, Ormandy discovered.

“Any vulnerabilities in this process are critical, and easily accessible to remote attackers,” the researcher revealed.

Ormandy also discovered that, while Avast’s solution was employing heuristics to activate the interpreter only for specific files, it was possible to trigger the heuristic using a specially crafted file.

Earlier this week, the researcher released a tool to allow for vulnerability analysis in the emulator, warning that any issues discovered would likely be “critical and wormable.”

Two days later, Avast decided to disable the emulator globally, to ensure that it does not pose a security threat to users.

“Last week, [Tavis Ormandy] reported a vulnerability to us in one of our emulators, which in theory could have been abused for RCE. On [March 9] he released a tool to simplify vuln. analysis in the emulator. Today, to protect our hundreds of millions of users, we disabled the emulator,” Avast announced.

The security firm also noted that the disabling of the emulator would have no impact on the functionality of the anti-virus product, which raised questions on why such an insecure tool was included in the product in the first place.

Ormandy, who pointed out that the issue was discovered in collaboration with Google Project Zero researcher Natalie Silvanovich, underlined the fact that Avast’s decision would significantly reduce the attack surface.

Earlier this week, Avast and security researcher David Eade publicly disclosed information on a series of issues in the Avast AntiTrack solution that could have been abused to perform man-in-the-middle (MitM) attacks on HTTPS traffic.

Related: Avast AntiTrack Flaw Allows MitM Attacks on HTTPS Traffic

Related: Avast, Avira Products Vulnerable to DLL Hijacking

Related: Avast Discloses New Supply-Chain Attack Attempt

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.