Jump to content

Recommended Posts

  • ExTS Admin
Posted

http://img.photobucket.com/albums/v708/starbuck50/avast-safezone-browser-lets-attackers-access-your-filesystem-499990-2_zpslevpxwx9.png

 

Another antivirus maker decides to mess around with Chromium default security features and gets it totally wrong

 

Just two days after Comodo's Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, it's now Avast's turn to be publicly scorned for failing to provide a "secure" browser for its users.

 

While Chromodo was caught disabling a crucial security feature called Same Origin Policy (SOP), Avast's Chromium fork is much worse, featuring a series of problems, one of which allows attackers to list and read files from your computer after you click a simple malicious link.

 

Antivirus makers should stick to antivirus software

Called SafeZone, and also known as Avastium, Avast's custom browser is offered as a bundled download for all who purchase or upgrade to a paid version of Avast Antivirus 2016.

 

Just like Chromodo, SafeZone is built on top of Chromium, the open source browser project on which Google Chrome, Vivaldi, and Opera are based on as well.

 

As Mr. Ormandy explains, this poor excuse of a browser was allowing a third-party to carry out a series of attacks, all by fooling a user into clicking a link, which is not really that hard if you hide it under a short URL.

 

Users don't have to use the browser, only have it installed

 

According to the researcher's explanation, attackers could send malicious commands to an RPC endpoint that was left open in the browser's core engine.

 

These commands could be bundled inside malicious JavaScript code which was executed locally on the user's computer, where localhost access would allow it to reach these open RPC endpoints, even if SafeZone was not actually running, and the malicious links were clicked inside other browser.

 

An attacker wouldn't even need an info-stealing malware strain if he knew his target had Avast's SafeZone installed, browser which was dumping everything out in the open.

 

"Although this attack relies on Avastium (Avast's port of Chromium), the victim does *not* have to be using it, and never has to have used it, because your profile is automatically imported from Chrome on startup," Mr. Ormandy noted, saying that bookmarks, preferences, passwords and cookies are automatically added to SafeZone without the user's consent.

 

Avast purposely disabled a Chromium security feature

 

"Additionally, you can send arbitrary *authenticated* HTTP requests, and read the responses," Mr. Ormandy also explained. "This allows an attacker to read cookies, email, interact with online banking and so on."

 

If you have SafeZone installed on your PC, you're doomed, since the malicious link can be opened in other browsers, and work regardless.

 

This entire situation is extremely funny and tragic at the same time.

 

Users that purchased an antivirus to bolster their security are practically being delivered a live backdoor, even if they wanted it or not.

 

Ormandy told Avast about their problem on December 18, and ten days later, the company issued a quick fix that prevented this issue from being exploited. The latest version of the Avast antivirus released on February 3 included a complete fix for this issue.

 

The Google researcher blamed this entire fiasco on Avast decision to overwrite a security feature inside the default Chromium setup. This feature allowed only WebSafe URLs to be opened via command-line instructions (like the malicious ones sent to the open RPC endpoint).

 

In Chromium, users would only be allowed to open links from the command line if the URL started with http, https, javascript, data, etc.. In SafeZone, attackers could also launch links that started with "file://" which is the URL naming scheme used to access local files.

 

As an advice to all antivirus makers that create their own "secure browsers:" Leave Chromium's security features alone!

 

Accessing this URL will tell you if you have a vulnerable version of the SafeZone browser installed on your PC.

 

 

 

Source:

http://news.softpedia.com/news/avast-safezone-browser-lets-attackers-access-your-filesystem-499990.shtml

Member of:

UNITE

  • Replies 0
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...