A security researcher from Google has revealed a vulnerability in a browser developed by antivirus company Avast. The browser is called Avastium, is also known as 'SafeZone' and built upon the open source browser Chromium.
A remote filesystem access vulnerability in the default Avast install. https://t.co/mUkbksUacT
— Tavis Ormandy (@taviso) February 3, 2016
Chromium is also the foundation of Google's Chrome and some other browsers. Avast has removed important security checks from the source code, according to Google's security researcher Tavis Ormandy. This makes it possible to for an attacker to start Avastium if the user visits a malicious website with any other browser. After that, the attacker can take full control over Avastium to read e.g. the browsing history, cookies and passwords.
And yet another case of forking Chromium for "security" because of your virus expertise. Seriously, you're going to screw it up.
— Tavis Ormandy (@taviso) February 3, 2016
The attacker can also hijack any authenticated sessions which allows him to e.g. read emails from webmail providers or do things with internet banking. Ormandy doesn't rule out that after more research he finds a way for an attacker to execute random code on the computer and take full control over it.
At the end of December last year he already warned Avast which patched the vulnerability yesterday.
