Antivirus vendor Avast has patched a vulnerability in its very own fork of the Chrome browser. And a good job too: the vuln allowed remote attackers to completely compromise the platform.
Avast’s SafeZone browser is bundled with its 2016 security products. It’s based on the Avastium fork of Chrome, which is of course Google-spawn.
Google researcher Tavis Ormandy says SafeZone allows attackers to eviscerate user web histories, passwords, and everything else stored in the application.
The Project Zero serial software defiler derided Avastium, offering a proof-of-concept link attackers can use to harvest and hijack the warped browser even when it is deactivated.
“This one is complicated, but allows an attacker to read any file on the filesystem by clicking a link,” Ormandy says.
“You don’t even have to know the name or path of the file, because you can also retrieve directory listings using this attack.
“Additionally, you can send arbitrary authenticated HTTP requests, and read the responses [which] allows an attacker to read cookies, email, interact with online banking, and so on.”
Ormandy disclosed the flaw in December and this week made the findings public following a patch.
Avast labelled its patch only as ‘security fixes’ alongside other minor improvements.
It is the second browser port Ormandy has publicly flayed this week. He took aim at the fudged Chrome fork Chromodo which hijacks DNS settings, and bizarrely deactives Chrome’s same-origin policy which prevents privacy issues from foreign scripts reading each other’s data.
Worse, the web thing set itself as the default browser, hoovering up Chrome’s data such that it resembled the real thing, albeit without the real security.
It prompted fellow accomplished hacker Joxean Koret to chime in that users should never trust antivirus browser ports and that each of the three unnamed platforms he tested were “broken”.
El Reg’s security desk advises avoiding browser ports and sticking only with well-supported, mature, and hardened browsers. ®
Building secure multi-factor authentication