Avast SafeZone, also known as Avastium, is based on the open source Chromium browser and comes with Avast’s subscription to its antivirus software.
Last December, Google Project Zero security researcher Tavis Ormandy notified the company of flaws he found in the browser that could allow an attacker to access stored passwords and local files. He made his notification public this week.
According to Ormandy, a user can fall prey to someone accessing their browser if they click on a malicious website set up by the attacker. Ormandy created a proof of concept attack that could exploit someone’s C:/ drive and access files. He also discovered that Avast’s browser had removed a “critical security check” from Chromium that would help in preventing these kinds of attacks.
“Putting this all together, if an Avast user using *any* Web browser visits an attacker controlled URL, he can launch Avastium and take complete control of it; reading files, cookies, passwords, everything,” said Ormandy. “He can even take control of authenticated sessions and read email, interact with online banking, etc.”
Avast published a patch for the vulnerability this week after Ormandy gave a 90-day period before going public.
Ormandy has been busy of late discovering holes and bugs in security software. This week he went public with flaws in Comodo’s browser, which is also based on Chromium while before that he published research into Malwarebytes that showed it was susceptible to man in the middle attacks.
Several antivirus and security vendors have come under scrutiny in the last few weeks for flaws in their software. Kaspersky Lab, McAfee, and AVG all had flaws discovered in their software recently.
