Avast 6 and Flash required - Vulnerability?

Discussion in 'other anti-virus software' started by shadek, Apr 26, 2011.

Thread Status:
Not open for further replies.
  1. shadek

    shadek Registered Member

    Joined:
    Feb 26, 2008
    Posts:
    2,363
    Location:
    Sweden
    I'm just trying Avast for fun, and noticed I need Flash installed to get full access of file activity. I'm using Chrome as browser and therefore don't need Flash. I find it outrageous that a security application is relying on something as vulnerable as an external Flash player! At least Chrome has its one sandboxed. What do you guys think?

    avast.png
     
  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Re: Avast 6 and Flash required -Vulnerability?

    Eh... so live without the graphs? It is NOT really required for Avast functionality. :rolleyes:
     
  3. eBBox

    eBBox Registered Member

    Joined:
    Aug 10, 2006
    Posts:
    482
    Location:
    Aalborg, Denmark
    To me its a big problem too, and I wonder why Avast! has made this plugin needed. Especially because of the vulnerabilitys in flash shoftware. Well spotted btw :thumb:
     
  4. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    The plugin is not NEEDED. As said, just live without the graphs, they are not NEEDED for Avast functionality, at all.

    P.S. Your suggested alternative would be exactly what? Silverlight (equal junk) or java eating all your CPU cycles? :rolleyes:
     
  5. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    Please read the first post, they're needed for the functionality of displaying past statistical data. If you're trying to claim that it's not important, then that's a different matter, and also purely your personal opinion.
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Please answer my question regarding what alternative do you suggest. And of course, fancy realtime statistical graphs are absolutely critical part of AV (or any other security solution) functionality.... :rolleyes: Or live without the graphs, as said.
     
  7. Matthijs5nl

    Matthijs5nl Guest

    My ESET also draws graphs, anyone knows what, if any, program is used to do this?
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    removed ot posts.
     
  9. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    791
    Location:
    India
    nice find shadek. Personally i believe that security applications should be using flash as an sandboxed app. as it is a most vulnerable application. But, am not sure how much avast is isolated from flash vulnerabilities. Only avast dev team can reveal.
     
  10. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    * There's hardly the need to "suggest" an "alternative" - especially from among the options you provided - when common sense dictates that if you're writing a security program optimized for efficiency, you simply avoid interpreted languages altogether. And if a user is opting to avoid a runtime environment known for its security vulnerabilities, you don't encourage the user to install it on their machines.

    Yes, they are, at least for me and apparently quite a few others here.*
     
    Last edited by a moderator: Apr 26, 2011
  11. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    What, which better alternative that I have NOT provided would you suggest for "realtime" graphs?
     
  12. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    The point is that Flash (and Java/Silverlight) isn't needed. Any further questions?
     
  13. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    So, you do NOT want the graphs any more*
     
    Last edited by a moderator: Apr 26, 2011
  14. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Well, gee... I don't have flash, java, silverlight (...) installed; Just plain ol' XP SP3 with no added programs/plugins and my security program shows realtime graphs... How is it possible o_O o_O
    It certainly doesn't have those bundled with it... and even if it does, it's certainly better than installing it system wide like with avast.
     
    Last edited: Apr 26, 2011
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Indeed. It seems some people are under the impression that the only way to draw a graph is using Flash. :/
     
  16. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Complete fail. Bundling is baaaad security-wise, much worse that you realize. There is pretty much a policy in tons of Linux distributions that bundled libraries are considered a security bug. Since it is hard to track bundled stuff, and since the upstream never manages to keep the pace with the bundled stuff's upstream when it comes to these. Since it requires patching is tons of places instead of one system-wide implementation. Etc. etc. etc.

    Case in point - go look at those outdated vulnerable Java versions bundled with Adobe suites


    Maybe it is just that some vendors focus on the real meat of their products instead of reinventing the wheel, such as inventing more ways how to draw fancy graphs.
     
    Last edited: Apr 26, 2011
  17. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    :D
    Lol, I'm sorry but I couldn't help but chuckle at the logic. :)
    @
    The OP has this requirement:
    I want to be able to see realtime graphs (our personal opinion doesn't matter)
    How does avast do it? You have to install flash, system wide, meaning in your browsers as well which in returns means that the attack surface is increased (not only is your sec. solution susceptible, but your browsers are as well now)

    Given that, my point in the part you quoted still stands: it's better to bundle them with the app that needs flash to draw graphs because the attack surface is lower than having the plugin installed in your browsers too.

    (nice to see you avoiding the other part of my post ;))
    I find it rather "unfocused" that a security application needs something as prone to vulns. as flash to display graphs.
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    No, it does not stand at all. These is absolutely no guarantee that the bundled version will not get abused. In fact, given that Avast has some 150 million users, the bundled flash will get targeted as soon as a vulnerability gets published in the bundled version. And there is absolutely no point in updating an antivirus every time a Flash security fix is released by Adobe.

    I find it rather unfocused that noone so far offered any better alternative, instead of this unproductive ranting. :thumbd:
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    This is my alternative: Excel or some other alternative users already have. :D

    avast! just creates a sheet file, on demand, and the user opens it... Would it work?

    At least, no more vulnerabilities would be introduced to the system by installing Adobe Flash Player... :argh:

    Otherwise, no such crap that introduces more vulnerabilities to the system should be required/bundled... specially not with a security application... quite contradictory, IMHO.
     
  20. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    Yes, I completely agree with you on that: it's possible to exploit the bundled flash. Let's take that probability as some sort of "constant" or "fixed group" in the equation... doesn't adding of browser plugins increase the exposure, thus only worsening the situation?
    But I digress, lets forget bundling... That returns us to the original Q which you avoid repeatedly: "Why is 3rd party framework such as flash (or java, silverlight) even necessary to display graphs"?

    Unfortunately, avast hasn't left us with much alternatives now, have they... ;) If you want graphs with avast you need to install flash (activex version).
    It would take an avast developer to tell us how to have graphs without the need to install flash system wide.
     
    Last edited: Apr 26, 2011
  21. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, I have asked about 10 times about your alternatives so far, I got absolutely no answer at all. Just beating around the bush.

    Or, let me put it this way - do you prefer the security vendor to spend their resources on improving the detection and prevention rates of their products, implementing new security features - or would you rather have them spend more time on reinventing the wheel by writing code to draw the graphs?

    P.S. It actually it the ActiveX version being used.

    @m00nbl00d: Excel is not really realtime, but log analyzers are commonplace of course. I do not need such eye-candy like these realtime graphs at all. And actually providing something to analyze the malware distribution (time, samples, etc.) would be relevant security-wise, the current one, really is not IMHO.
     
  22. 3x0gR13N

    3x0gR13N Registered Member

    Joined:
    May 1, 2008
    Posts:
    754
    How time consuming can it be? :rolleyes: Every other security vendor that has graphs of some sort has their own codebase for displaying graphs. If you're so "anal" about vendors being focused solely on improving detection/removal etc. there's a lot of things in avast that are simply "showing off": sound packs, animated popups, much of the existing UI etc. which have little to do with security/detection/removal.
    Oops, yes my mistake. :)
     
  23. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Sound packs, graphics etc. have a marketing purpose (make the SW attractive to users), thus providing a direct or indirect financial benefit to the vendor (and are beneficial the users as well, as long as the GUI appearance is important to them).

    OTOH, ranting about a design choice that does NOT affect the functionality of a product in any way except for the fact that you dislike Flash does not have any marketing benefits for the vendors, the hard fact being that they will waste money reinventing the wheels wrt graph drawing and the obvious alternatives here are no better than the current choice. Live with it, pretty much.
     
  24. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    why a fast scanner like Avast is using a slow plugin like Flash for rendering the GUI statistics?
     
  25. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    i assume for some reason alternatives were slower, memory hungrier or just wasn't time use anything else

    yet it uses java
    http://www.live-graph.org/index.html

    many others use .net or python or java or else ....

    Silverlight may be good choice thanks to it's nix fork ...

    and i'm sure there are many native C++ ones opensource too
     
Loading...
Thread Status:
Not open for further replies.