Avast disables vulnerability that left 400 million users open to abuse

By on
Avast disables vulnerability that left 400 million users open to abuse

Unsafe Javascript interpreter begone.

Security vendor Avast has urgently disabled a component in its antivirus product that researchers said could have put over 400 million users at risk of arbitrary code execution remotely.

Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich looked into the Avast antivirus Javascript interpreter or emulator that is used to triage potentially unsafe code, and discovered it to be poorly implemented.

Ormandy published an analysis about the vulnerability on Github two days ago, pointing out that the Javascript interpreter is a risky proposition.

"Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage.

"Any vulnerabilities in this process are critical, and easily accessible to remote attackers.

"So.. maybe not great that it includes a custom JavaScript interpreter....???? ��" Ormandy wrote.

Avast responded to Ormandy's vulnerability report and said it will disable the problematic Javascript emulator immediately.

In January this year, the security vendor was at the cynosure of a privacy scandal involving its data-harvesting subsidiary Jumpshot, which it was forced to divest.

Avast also accidentally distributed malware to millions of users for over a month in 2017, via the CCleaner utility that the security vendor had bought the same year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?