Security vendor Avast has urgently disabled a component in its antivirus product that researchers said could have put over 400 million users at risk of arbitrary code execution remotely.
"Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage.
"Any vulnerabilities in this process are critical, and easily accessible to remote attackers.
1/2-Last week, 3/4 @taviso reported a vulnerability to us in one of our emulators, which in theory could have been abused for RCE. On 3/9 he released a tool to simplify vuln. analysis in the emulator. Today, to protect our hundreds of millions of users, we disabled the emulator.— Avast (@avast_antivirus) March 11, 2020
In January this year, the security vendor was at the cynosure of a privacy scandal involving its data-harvesting subsidiary Jumpshot, which it was forced to divest.
Avast also accidentally distributed malware to millions of users for over a month in 2017, via the CCleaner utility that the security vendor had bought the same year.