[German]A serious vulnerability in its antivirus solutions has forced the security provider AVAST to disable JavaScript in its products for security reasons. Here are a few details.
Advertising
AVAST is used by some people as a security and virus protection solution on Windows. However, such supposed security products often bring weaknesses to your system. German blog reader Nobody already pointed this out in this comment at the end of last week (thank you).
Project Zero exposes vulnerability
Antivirus solutions use a JavaScript interpreter to execute malicious code in a sandbox. Then the behavior of the code is monitored for indications of malicious code. This is nothing unknown, and security experts know that this is a potential attack point for malicious software. If there is a vulnerability in the sandbox, the malware can escape from the sandbox or play dead if the sandbox is detected.
Wow – Avast decided to disable their JavaScript interpreter globally!
The vulnerability report they mention wasn't just me, it was a Project Zero collaboration with @natashenka
I think this is the right decision, it was a *lot* of attack surface. https://t.co/iFyry17HD0
— Tavis Ormandy (@taviso) March 11, 2020
Google security researcher Tavis Ormandy from Project Zero pointed out a fat problem in the AVAST JavaScript interpreter or anti-virus engine on Github on March 11, 2020. This is because he discovered a vulnerability in AvastSvc.exe during the analysis. This is the Avast antivirus process running with the SYSTEM permission level.
The AvastSvc.exe service loads the low-level antivirus engine and analyzes untrusted data received from sources such as the file system minifilter or intercepted network traffic. Although the service is highly privileged and processes untrusted input, it does not run in a sandbox and, according to Ormandy's analysis, has virtually no mitigation measures implemented. Furthermore, the product comes with its own JavaScript interpreter. All vulnerabilities in this construct are critical and easily accessible to remote attackers.
Advertising
Ormandy did not find a concrete weakness in this construct. But he points out in his GitHut article that debugging can be extremely difficult in this process. He has also documented for other security researchers how to attack this JavaScript emulator to find vulnerabilities.
AVAST disables JavaScript
So in principle AVAST has built in something like a predetermined 'weak point' that only needs to be attacked. So it was only a matter of time before an exploit would show up. So the antivirus vendor reports in the above tweet that it had been aware of the issue since March 4, 2020. After Ormandy published his GitHub post with a tool to analyze the emulator on March 9, 2020, they decide to disabled the emulato, to protect hundreds of millions of users. According to AVAST, this does not affect the functionality of the antivirus solution.
Similar articles:
Leak revealed: Avast user data was sold
AVAST: Jumpshot will be closed after privacy scandal
Mozilla removed Firefox Addons from AVG/AVAST
Firefox Addons from AVG/AVAST back in store
Windows 10 V190x: Avast/AVG as Upgrade Blocker
XSS Vulnerability in AVAST Antivirus
Abbis: AVAST fights off a cyber-attack attempt on its network
AVAST and Avira confirms April 2019 Update issues
Firefox 65 for Windows: Issues with AVAST/AVG Antivirus
AVAST CCleaner 5.45 and the telemetry thing
