Czech antivirus maker Avast has taken the extreme step of disabling a major component of its antivirus product after a security researcher found a dangerous vulnerability that put all of the company’s users at risk.
“Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage,” said Tavis Ormandy, a security researcher at Google.
“Any vulnerabilities in this process are critical, and easily accessible to remote attackers,” Ormandy said on Monday when he also released a tool that he used to analyze the company’s antivirus.
Exploitation was trivial
For example, using this bug, attackers would have the ability to install malware on an Avast user’s device.
Avast notified last week
Contacted by ZDNet for comment, the Czech company provided the following statement on the series of events that led to today’s drastic measure.
“Last Wednesday, March 4, Google vulnerability researcher Tavis Ormandy reported a vulnerability to us affecting one of our emulators. The vulnerability could have potentially been abused to carry out remote code execution.
On March 9, he released a tool to greatly simplify vulnerability analysis in the emulator.
We have fixed this by disabling the emulator, to ensure our hundreds of millions of users are protected from any attacks. This won’t affect the functionality of our AV product, which is based on multiple security layers.”
There is no current timeline for when a patch would be ready.
Ormandy discovered the Avast antivirus bug using a tool he developed in 2017 that allows him to port Windows DLL files to Linux, where automated fuzzing and other security tests can be carried out more easily.