Avast SafeZone Browser Lets Attackers Access Your Filesystem

An anonymous reader writes: Just two days after Comodo's Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, it's now Avast's turn to be publicly scorned for failing to provide a "secure" browser for its users. Called SafeZone, and also known as Avastium, Avast's custom browser is offered as a bundled download for all who purchase or upgrade to a paid version of Avast Antivirus 2016. This poor excuse of a browser was allowing attackers to access files on the user's filesystem just by clicking on malicious links. The browser wouldn't even have to be opened, and the malicious link could be clicked in "any" browser.

This browser

[ArchieBunker]

still has more market share than Firefox!

Just in time!!

[frootcakeuk]

I had been thinking about ditching Avast for the last few months (not for this reason) as it seemed to be changing into something I don't like the feel of but was reluctant(lazy).

Finally changed to Avira 2 weeks ago and have been glad I did. Very glad now!

Re:Just in time!!

[zenlessyank]

Good choice for a free tool. The pop-up in the corner is slightly annoying but since it's free... And it has caught several nasty's that snuck in, but also has thrown up a few false positives for PUP's, but only in places where files had been downloaded (not system files etc.). Also another suggestion is ClamWin. It is open source and free. It is a little clunky but works great on obscure Win OS'es like 2003 & 2008 server plus all the Windows Clients from XP to Win 8.1. It also runs on Linux as I also have it on 2 different CentOS 6.x boxes.

Re:Just in time!!

avast went super creepy a version or two ago. on top of the misleading popups to sell their paid product, their snooping and spying and data collection now would make facebook or google jelly.

Re:Just in time!!

[Calydor]

What annoys me most at the moment is their unwanted clean-up tool that tells me I have some 100 GB of unused programs it wants to delete - with no list of WHICH programs it's talking about.

Re: Just in time!!

[oobayly]

It's probably just a random number generator. Do you even have 100GB of programs?

Re:Just in time!!

[I'm+New+Around+Here]

Nevermind that. I want to hear more about the "google jelly" from the AC. I can do without facebook jelly, though, it just sounds distasteful.

Re: Just in time!!

[Calydor]

Well, with various games installed that I used to play but don't at the moment it can quickly get up there. WoW is some 30 GB, so is Fallout 4, might still have Wildstar installed for another 20 ... It adds up these days. The point is that a list of what you're about to delete before deleting 100 GB would be really, really nice.

Re:Just in time!!

They very nicely provided a button to turn these notices off. At least they did, unlike many other programs where you get no choice.

failing to provide a "secure" browser for its user

a "secure" browser?

well fuck me, I never heard of such a thing.

Re:failing to provide a "secure" browser for its u

[mikael]

There is the "lynx" web browser. That doesn't allow images to be viewed, so it's very basic.

Re:failing to provide a "secure" browser for its u

[ArylAkamov]

Ditto. I just stopped trying a few years ago. One computer on the internet with no antivirus or anything for downloading files and internet/games/etc., one completely disconnected with shit I actually care about (CAD files, tax information, personal shit, etc.).

In the off chance I catch something, it's just another quick format and reinstall in the bucket. And that hasn't happened in years (Last one was due to a friend having an infected flashdrive).

Avast AVG is already spies on you DELETE IT NOW!

I used to use AVG but dropped it like a lead balloon because they changed their terms and conditions to spy on the web browsing habits to sell to advertisers http://www.wired.co.uk/news/ar... http://www.techeye.net/news/av...

I don't get it

[SmaryJerry]

Doesn't this mean any app you have installed on your computer would let you do this?

Re:I don't get it

[jarkus4]

Post by the researcher is quite nice and understandable.
Basically Avast opens a local port for the purpose of interprocess communication (or RPC to be specific). It listens to properly formatted post requests (that can be easily sent from another page you open) and performs some actions from predefined list. One of those actions allows to launch this weird "safe" browser with an arbitrary url. Since Avast removed some chromium safety feature it allowed launching dev tools with some arbitrary controlling javascript, allowing acces to local files, doing requests using stored cookies etc.
Other application are generally not affected, because they dont provide this local port, so they cant be remotely launched in an easy way (Avast command list is limited, so you cant launch random stuff).

already fixed

[jarkus4]

it would be nice to point out in the summary, that the problem has already been fixed (in December, 10 days after being reported)

Re:already fixed

No, that is irrelevant to the essence of the message that is being conveyed here: "Security centered company screws up in the one area they are not supposed to screw up in: Security"

Re:already fixed

[jarkus4]

Without this info the summary is simple sensationalist "panic, panic! if you have this you are in danger!". By adding simple "in earlier versions" or similar info it turns into the shaming message you are talking about.

I gave up on security stuff

I basically resolved myself to accept that anything to do with computer security is like going to a fortune teller for advice. They may actually hit on a few tidbits of your past. But they won't tell you what you need to know. I stick with the basic security, keeping my PC up to date, using a modern up to date browser and paying attention to what attacks are currently taking place. Spending ridiculous amounts of money and time installing and dealing with security solutions is never going to keep you much safer. It just adds yet another way for a attack to take place.

All browsers

[Hognoxious]

All browsers allow timothy to infect slashdot.

Re:All browsers

All browsers? Wait a sec...

Are you absolutely certain he'd be able to infect as effectively, say, with LYNX?

Re:All browsers

[Hognoxious]

Yup.

Re:All browsers

[Lotharus]

That only proves you can see posts by timothy when using lynx. Doesn't prove timothy could actually post using lynx.

Re:failing to provide a "secure" browser for its u

In the off chance I catch something [...] hasn't happened in years

How do you even know? Do you do a periodical malware scan? Aren't you worried if you get something it might be too late?

I don't use Windows anywhere, but using it without an anti-malware tool, even if it's a disconnected device, is silly. Cowboy silly.

no choice

I've been using the paid version of Avast for a couple of years now and it's great. I disable most of the features and have never used the SafeZone thing because I just assumed it was crap.

Every single anti-virus (you're not even supposed to call it that anymore) product nowadays is bloated with either useless or very insecure features (or both, like in this case). It's gotten to the point that even gross incompetence such as this shouldn't keep you from using the product, because the alternatives are either inferior or also suffer from the same stupid mistakes (or both).

Avast is a huge piece of shit

Avast is a huge bloated piece of shit that eats network data like candy.

Anti-Virus Poll

[GrBear]

Slashdot should have an actual useful poll, like asking people what they use for Anti-Virus software. With all the geeks out there and their collective experience, it would be alot better than some Top 10 list posted by a company acting as a shill for a specific vendor.

Re:Anti-Virus Poll

I think we all know the results already. There are exactly three free solutions that are worth using and deliver consistent protection: Avira, Bitdefender and Panda.
And about half a dozen for people willing to pay. Take a look at AV Comparatives reports.

Re:Anti-Virus Poll

[GrBear]

I use Panda, but it tends to have ALOT of false positives. Far more than I had with paid Avast and Kaspersky.

Best prevention possible inside... apk

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

-

FREE, not 'souled-out' to advertisers, adds speed, security & reliability.

Does far more w/ far less more efficiently vs. addons (clarityray blockable, redundant + RAM/CPU wasteful & 'souled-out' crippled by default) & local DNS servers @ home.

Fixes DNS' security issues & stops tracking @ webpage + DNS levels via 1 file you NATIVELY have!

(Firewalls do rest on FAR less used IP address trackers/threats vs. host-domain names).

-

Obtains data vs. online threats & ads via 10 reputable security community sites - easily edited by you using my program.

-

SPEEDS YOU UP 2 ways:

Adblocking ALL ads + local RAM cached favorite sites @ TOP of hosts for faster resolution vs. remote DNS (for reliability + speed) vs. other "so-called security 'solutions'" SLOWING YOU!

-

All via what you already have vs. illogically "bolting on browser addons 'MOAR'" (clarityray detected/blockable + usermode slow & increased messagepassing, cpu + ram overheads)

-

MalwareBytes' hpHosts Admin (MalwareBytes employee verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl...

&

MalwareBytes = BEST antivirus per a VERY recent testing of them all http://www.av-test.org/en/news...

&

It's safe proven by 57 antivirus programs in BOTH its 64-bit model https://www.virustotal.com/en/...

+

32-bit model https://www.virustotal.com/en/...

&

Installer-> http://f.virscan.org/APKHostsF...

-

* "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

APK

P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

"The image this title brings to mind is a mighty military commander who can at a mere word summon rank upon rank of protective power" -> https://answers.yahoo.com/ques... & THE WORD = hosts!

(Accept NO substitutes)

...apk

Hosts = The way of the future in antivirus... apk

See subject - Custom hosts get you more speed, security, reliability, & anonymity online using what you already natively have:

APK Hosts File Engine 9.0++ SR-4 32/64-bit:

http://www.start64.com/index.p...

* It's superior to antivirus tech (which even Symantec/Norton ADMITS isn't effective anymore vs. modern threat vectors) as it's NOT AS REACTIVE & far more PROACTIVE since antivirus waits till you're "sick" for detection largely, but hosts?

HOSTS BLOCK SOURCES OF MALWARE & BOTNETS BEFORE YOU CAN TOUCH THEM!

(& you can't be hurt by what can't get to you in the 1st place)

Hosts files also speed you up 2 ways (hardcoded favorite sites where you spend MOST time online cached in RAM @ TOP of hosts for fastest possible resolution speed, faster than remote DNS, + of course, adblocking too). AntiVirus SLOWS YOU DOWN by way of comparison!

Hosts also knock the chocolate outta browser addons by FAR in terms of their abilities and for LESS resource use in CPU/RAM by far too - even with UBlock Origin lately using hosts data (imitation is the sincerest form of flattery, but it falls short - it's not a resolver, hosts is, & so it blocks DNS redirect poisoning of which 99.999% of ISP DNS are NOT patched against, & makes your connection faster + more reliable resolving locally from RAM vs. them, not just blocking ads for speed & hosts work 1st (1st resolver used + far more - read the link, be enlightened!)

Enjoy - it's free, it works on MANY fronts doing more w/ less (good engineering) using what you already have natively!

Hosts != clarityray detectable & blockable like browser addons - it's not a browser addon w/ their weaknesses in less abilities & yet using more operating in a SLOWER mode of operations (usermode) vs. hosts (kernelmode).

APK

P.S.=> Custom hosts files = superior (even vs. firewalls using layered filtering drivers & MORE EFFECTIVE since hosts combat what malware uses - host/domain names MOST, not IP addresses)... apk

Re:Avast AVG is already spies on you DELETE IT NOW

Avast and AVG are 2 completely different companies

Re:Avast AVG is already spies on you DELETE IT NOW

[doccus]

Avast and AVG are 2 completely different companies

Sure, but I think the poster was pointing out that they have also followed the same path as avast.