Google Researchers Find Design Flaw in Avast Antivirus
Google security researchers warn that the design choice could open the door for remote exploitation of Avast’s antivirus software. In response, Avast patched the problem by shutting down the function.
By Michael Kan
Google security researchers have uncovered a potential design flaw in Avast’s antivirus software that could have been used to remotely hack a PC.
On Monday, Google researcher Tavis Ormandy publicized the problem, which deals with Avast’s antivirus engine “AvastSvc.exe.” The program is built to analyze your computer’s untrusted data in local files and network traffic for suspected malware. However, Ormandy noticed it may have been possible to trick AvastSvc.exe into running malicious code. That’s because the same program has the highest system privileges, and will also run without any isolation from the rest of the operating system.
“Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical,” Ormandy wrote in his post about the design flaw.
Compounding the risk is how AvastSvc.exe has a built-in interpreter to read and execute Javascript files, which are used on web pages. Avast says the interpreter is designed to act as an “emulator,” presumably so the software can run a Javascript file to check whether it’s malicious.
Nevertheless, the same emulator gives cybercriminals a potential entry way into manipulating AvastSvc.exe. The main worry is if a hacker were to ever find a serious bug in Avast’s antivirus software; he could then potentially booby-trap Javascript files on websites or emails to exploit it.
“If you find a vulnerability, it is likely critical and wormable,” Ormandy added in his post.
It isn’t the first time Ormandy has warned about such threats. In 2017, he and Google security researcher Natalie Silvanovich found a similar vulnerability in Microsoft’s Windows Defender; if the software scanned a specially crafted file, Windows Defender could automatically be triggered into running malicious computer code. “This is crazy bad,” Ormandy tweeted at the time. Fortunately, Microsoft was quick to roll out a patch.
In Avast’s case, the antivirus provider has decided to shut down the Javascript emulator in the AvastSvc.exe program in order to patch the potential design flaw. “This won’t affect the functionality of our AV (antivirus) product, which is based on multiple security layers,” the company told PCMag in a statement. On Twitter, Avast also pointed out the threat was more theoretical.
The company patched the problem after Ormandy and Silvanovich sent a report to the antivirus company about the design flaw last week. To perhaps pressure Avast into action, Ormandy also created a public tool to help interested users analyze the Javascript emulator in AvastSvc.exe for flaws.
Originally published at https://www.pcmag.com.
