Avast this week disabled a JavaScript interpreter that is part of its antivirus product, after a security researcher discovered a vulnerability that could potentially lead to remote code execution.
The JavaScript interpreter was found to run unsandboxed, thus potentially exposing systems to attackers.
“That service loads the low level antivirus engine, and analyzes untrusted data received from sources like the filesystem minifilter or intercepted network traffic,” Tavis Ormandy, the Google security researcher who discovered the vulnerability, explains.
Despite being a high-privilege process running untrusted input, the emulator was not sandboxed and also had poor mitigation coverage, Ormandy discovered.
“Any vulnerabilities in this process are critical, and easily accessible to remote attackers,” the researcher revealed.
Ormandy also discovered that, while Avast’s solution was employing heuristics to activate the interpreter only for specific files, it was possible to trigger the heuristic using a specially crafted file.
Earlier this week, the researcher released a tool to allow for vulnerability analysis in the emulator, warning that any issues discovered would likely be “critical and wormable.”
Two days later, Avast decided to disable the emulator globally, to ensure that it does not pose a security threat to users.
“Last week, [Tavis Ormandy] reported a vulnerability to us in one of our emulators, which in theory could have been abused for RCE. On [March 9] he released a tool to simplify vuln. analysis in the emulator. Today, to protect our hundreds of millions of users, we disabled the emulator,” Avast announced.
The security firm also noted that the disabling of the emulator would have no impact on the functionality of the anti-virus product, which raised questions on why such an insecure tool was included in the product in the first place.
Ormandy, who pointed out that the issue was discovered in collaboration with Google Project Zero researcher Natalie Silvanovich, underlined the fact that Avast’s decision would significantly reduce the attack surface.
Earlier this week, Avast and security researcher David Eade publicly disclosed information on a series of issues in the Avast AntiTrack solution that could have been abused to perform man-in-the-middle (MitM) attacks on HTTPS traffic.
Related: Avast AntiTrack Flaw Allows MitM Attacks on HTTPS Traffic
Related: Avast, Avira Products Vulnerable to DLL Hijacking
Related: Avast Discloses New Supply-Chain Attack Attempt
More from Ionut Arghire
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- Apria Healthcare Notifying 2 Million People of Years-Old Data Breaches
- European Cybersecurity Firm Sekoia.io Raises $37.5 Million
- GitLab Security Update Patches Critical Vulnerability
- Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
