Avast SafeZone Browser Lets Attackers Access Your Filesystem

An anonymous reader writes: Just two days after Comodo's Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, it's now Avast's turn to be publicly scorned for failing to provide a "secure" browser for its users. Called SafeZone, and also known as Avastium, Avast's custom browser is offered as a bundled download for all who purchase or upgrade to a paid version of Avast Antivirus 2016. This poor excuse of a browser was allowing attackers to access files on the user's filesystem just by clicking on malicious links. The browser wouldn't even have to be opened, and the malicious link could be clicked in "any" browser.

Just in time!!

[frootcakeuk]

I had been thinking about ditching Avast for the last few months (not for this reason) as it seemed to be changing into something I don't like the feel of but was reluctant(lazy).

Finally changed to Avira 2 weeks ago and have been glad I did. Very glad now!

Re:Just in time!!

[zenlessyank]

Good choice for a free tool. The pop-up in the corner is slightly annoying but since it's free... And it has caught several nasty's that snuck in, but also has thrown up a few false positives for PUP's, but only in places where files had been downloaded (not system files etc.). Also another suggestion is ClamWin. It is open source and free. It is a little clunky but works great on obscure Win OS'es like 2003 & 2008 server plus all the Windows Clients from XP to Win 8.1. It also runs on Linux as I also have it on 2 different CentOS 6.x boxes.

Re:Just in time!!

[Calydor]

What annoys me most at the moment is their unwanted clean-up tool that tells me I have some 100 GB of unused programs it wants to delete - with no list of WHICH programs it's talking about.

Re: Just in time!!

[oobayly]

It's probably just a random number generator. Do you even have 100GB of programs?

Re:Just in time!!

[I'm+New+Around+Here]

Nevermind that. I want to hear more about the "google jelly" from the AC. I can do without facebook jelly, though, it just sounds distasteful.

Re: Just in time!!

[Calydor]

Well, with various games installed that I used to play but don't at the moment it can quickly get up there. WoW is some 30 GB, so is Fallout 4, might still have Wildstar installed for another 20 ... It adds up these days. The point is that a list of what you're about to delete before deleting 100 GB would be really, really nice.

Re:failing to provide a "secure" browser for its u

[mikael]

There is the "lynx" web browser. That doesn't allow images to be viewed, so it's very basic.

Re:failing to provide a "secure" browser for its u

[ArylAkamov]

Ditto. I just stopped trying a few years ago. One computer on the internet with no antivirus or anything for downloading files and internet/games/etc., one completely disconnected with shit I actually care about (CAD files, tax information, personal shit, etc.).

In the off chance I catch something, it's just another quick format and reinstall in the bucket. And that hasn't happened in years (Last one was due to a friend having an infected flashdrive).

Avast AVG is already spies on you DELETE IT NOW!

I used to use AVG but dropped it like a lead balloon because they changed their terms and conditions to spy on the web browsing habits to sell to advertisers http://www.wired.co.uk/news/ar... http://www.techeye.net/news/av...

I don't get it

[SmaryJerry]

Doesn't this mean any app you have installed on your computer would let you do this?

Re:I don't get it

[jarkus4]

Post by the researcher is quite nice and understandable.
Basically Avast opens a local port for the purpose of interprocess communication (or RPC to be specific). It listens to properly formatted post requests (that can be easily sent from another page you open) and performs some actions from predefined list. One of those actions allows to launch this weird "safe" browser with an arbitrary url. Since Avast removed some chromium safety feature it allowed launching dev tools with some arbitrary controlling javascript, allowing acces to local files, doing requests using stored cookies etc.
Other application are generally not affected, because they dont provide this local port, so they cant be remotely launched in an easy way (Avast command list is limited, so you cant launch random stuff).

already fixed

[jarkus4]

it would be nice to point out in the summary, that the problem has already been fixed (in December, 10 days after being reported)

Re:already fixed

[jarkus4]

Without this info the summary is simple sensationalist "panic, panic! if you have this you are in danger!". By adding simple "in earlier versions" or similar info it turns into the shaming message you are talking about.

All browsers

[Hognoxious]

All browsers allow timothy to infect slashdot.

Re:All browsers

[Hognoxious]

Yup.

Re:All browsers

[Lotharus]

That only proves you can see posts by timothy when using lynx. Doesn't prove timothy could actually post using lynx.

Anti-Virus Poll

[GrBear]

Slashdot should have an actual useful poll, like asking people what they use for Anti-Virus software. With all the geeks out there and their collective experience, it would be alot better than some Top 10 list posted by a company acting as a shill for a specific vendor.

Re:Anti-Virus Poll

[GrBear]

I use Panda, but it tends to have ALOT of false positives. Far more than I had with paid Avast and Kaspersky.

Re:Avast AVG is already spies on you DELETE IT NOW

[doccus]

Avast and AVG are 2 completely different companies

Sure, but I think the poster was pointing out that they have also followed the same path as avast.