Avast disables vulnerability that left 400 million users open to abuse

Security vendor Avast has urgently disabled a component in its antivirus product that researchers said could have put over 400 million users at risk of arbitrary code execution remotely.

Google Project Zero researchers Tavis Ormandy and Natalie Silvanovich looked into the Avast antivirus Javascript interpreter or emulator that is used to triage potentially unsafe code, and discovered it to be poorly implemented.

Ormandy published an analysis about the vulnerability on Github two days ago, pointing out that the Javascript interpreter is a risky proposition.

"Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage.

"Any vulnerabilities in this process are critical, and easily accessible to remote attackers.

"So.. maybe not great that it includes a custom JavaScript interpreter....???? ��" Ormandy wrote.

Avast responded to Ormandy's vulnerability report and said it will disable the problematic Javascript emulator immediately.

1/2-Last week, 3/4 @taviso reported a vulnerability to us in one of our emulators, which in theory could have been abused for RCE. On 3/9 he released a tool to simplify vuln. analysis in the emulator. Today, to protect our hundreds of millions of users, we disabled the emulator.

— Avast (@avast_antivirus) March 11, 2020

In January this year, the security vendor was at the cynosure of a privacy scandal involving its data-harvesting subsidiary Jumpshot, which it was forced to divest.

Avast also accidentally distributed malware to millions of users for over a month in 2017, via the CCleaner utility that the security vendor had bought the same year.