Avast disables JavaScript engine in its antivirus following major bug

guest · Mar 11, 2020

Avast disables JavaScript engine in its antivirus following major bug
Vulnerability would have allowed attackers to take over computers running the Avast antivirus
March 11, 2020
https://www.zdnet.com/article/avast-disables-javascript-engine-in-its-antivirus-following-major-bug/

Czech antivirus maker Avast has taken the extreme step of disabling a major component of its antivirus product after a security researcher found a dangerous vulnerability that put all of the company's users at risk.

The security flaw was found in Avast's JavaScript engine, an internal component of the Avast antivirus that analyzes JavaScript code for malware before allowing it to execute in browsers or email clients.

"Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage," said Tavis Ormandy, a security researcher at Google.
"Any vulnerabilities in this process are critical, and easily accessible to remote attackers," Ormandy said on Monday when he also released a tool that he used to analyze the company's antivirus.
Click to expand...

EXPLOITATION WAS TRIVIAL
Exploiting this type of bug is trivial. All it would take is sending a user a malicious JS or WSH file via email, or tricking a user into accessing a boobytrapped file with malicious JavaScript code.
For example, using this bug, attackers would have the ability to install malware on an Avast user's device.
AVAST NOTIFIED LAST WEEK
While Avast knew of the bug for almost a week, the company had yet to patch the issue, and earlier today, decided to disable its antivirus' JavaScript scanning capabilities until a patch would be ready.
Click to expand...

Wow - Avast decided to disable their JavaScript interpreter globally!
The vulnerability report they mention wasn't just me, it was a Project Zero collaboration with @natashenka ???

I think this is the right decision, it was a *lot* of attack surface. https://t.co/iFyry17HD0
— Tavis Ormandy (@taviso) March 11, 2020
Click to expand...

mirimir · Mar 12, 2020

That's highly ironic

BoerenkoolMetWorst · Mar 12, 2020

Has there been any other AV vendor that has implemented sandboxing for it's own components like MS Defender?

Rasheed187 · Mar 14, 2020

BoerenkoolMetWorst said: ↑

Has there been any other AV vendor that has implemented sandboxing for it's own components like MS Defender?
Click to expand...

No, I don't think so. But this shows how risky AV's can be, I think it's ridiculous that they make these kind of coding mistakes.

BoerenkoolMetWorst · Mar 15, 2020

Rasheed187 said: ↑

No, I don't think so. But this shows how risky AV's can be, I think it's ridiculous that they make these kind of coding mistakes.
Click to expand...

Indeed. There will always be vulnerabilities so the risk needs to be migitated by reducing rights, sandboxing etc. MS introduced the Defender sandbox 1.5 years ago, so I was hoping at least one other AV vendor would have an opt-in sandbox by now. Btw, do you know if the Defender sandbox has been enabled by default by now? When I search for Defender sandbox, all articles are from the original introduction, I don't see any recent articles.

Log in or Sign up

Avast disables JavaScript engine in its antivirus following major bug

guest Guest

mirimir Registered Member

BoerenkoolMetWorst Registered Member

Rasheed187 Registered Member

BoerenkoolMetWorst Registered Member

Log in or Sign up

Avast disables JavaScript engine in its antivirus following major bug

guest Guest

mirimir Registered Member

BoerenkoolMetWorst Registered Member

Rasheed187 Registered Member

BoerenkoolMetWorst Registered Member

Useful Searches