A security researcher has found a serious bug in Avast's secure web browser, Avastium, that could allow a hacker to “read any file on the filesystem by clicking a link”.
As Avast imports user profiles from Chrome, all Chrome users are vulnerable to such attacks. Avastium, also known as SafeZone, is based on a fork of Chrome.
"Although this attack relies on Avastium (Avast's port of Chromium), the victim does *not* have to be using it, and never has to have used it, because your profile is automatically imported from Chrome on startup," he said.
The flaw, which has only just recently been fixed, was reported by Ormandy in December. Avast provided a fix as part of Avast version 2016.11.1.2253.
He set up a website proof of concept exploit that can list the contents of the computer's C:\ drive, but a hacker could easily extend it to have any potentially interesting files sent back to them.
Omandy said that the browser opens up an RPC service on the local computer that listens on port 27275. A malicious website opened in any browser can therefore send commands to this service by forcing the browser to make requests to http://localhost:27275/command.
If a hacker uses a command called SWITCH_TO_SAFEZONE embedded in a URL, the result could be dangerous for users as Avast had removed something Ormandy called a “critical security check” that prevents non-web-related URLs from being opened from the command line.
“For some reason, Avastium removed this check for dangerous schemes, and will allow any URL scheme without restriction on the command line. This includes internal schemes like chrome://, therefore being able to specify a URL on the command line *does* get you additional privilege with Avastium,” said Ormandy.
Nick Jones, security consultant at MWR InfoSecurity told SCMagazineUK.com that it is unfortunately not uncommon to find that application developers within a security product company are not themselves security experts, and make implementation decisions (such as disabling a key security feature, as happened in this particular instance) without considering the security implications.
“If the alterations are not reviewed by someone with knowledge of the security implications of such decisions it's easy for issues such as this to make their way into a production version of a security software package,” he said.
Jones added that Google put a great deal of effort into ensuring the security of the main Chrome browser product, and any security issues identified will be fixed in the main Chrome project first, before they can make their way into third-party variants.
“When the decreased response time is combined with Google's proven browser security track record, it makes it clear that users are likely better off sticking with the main Google-published Chrome browser or its open source variant, Chromium,” added Jones.
James Maude, senior security engineer at Avecto, told SC that the market has seen several failed attempts to create new “secure” browsers over the past few years and yet companies still aren't learning the lessons.
“Few, if any organisations, are capable of matching the resource and skill set of the Chrome security team so often changes introduced in these new browsers are largely superficial branding exercises which offer little benefit for the user,” he said.
He said that the firm should not have offered a custom browser in the first place.
“The fact that it has taken them weeks to fully fix this issue does not instil confidence for users of this browser. If you are going to go down this road you need to be absolutely confident you are doing this for the right reasons. If you are serious about improving the security of the browser, you should probably be contributing to Chrome rather than building a new version.”
We approached Avast for a comment, but at the time of publication we had not had a response.