Antivirus software packages often include custom-built "secure" Web browsers to be used when navigating banking and shopping sites. But secure browsers can be more trouble than they're worth, as proved by Avast's own Avastium browser, which exposed users' computers to data theft.
Once a site containing malicious code — which could be embedded in an ad, iFrame or a number of other ways — was opened on a PC that happened to have Avast installed, an attacker controlling the malicious code could launch the Avastium browser on the client machine and use it to browse the computer's files — including passwords, bank statements, love letters, naughty pictures and so on.
Most Web browsers can browse and view files (type "file:///C:/" into an address bar to see for yourself), but are only meant to do so locally, i.e. on the same computer or local network. Avast's mistake was that it allowed Avastium to do so across the Internet.
Since Avastium imports user profiles from Chrome when Avast's software is installed, all Chrome users are vulnerable to the attack, not just those who actively use Avastium. This flaw was discovered by Travis Ormandy, a Google security researcher who recently found flaws in other brands of antivirus software, including AVG, Comodo, Malwarebytes and Trend Micro.
Ormandy posted a proof-of-concept demonstration for the exploit online, which, if you have Avast software installed, will print out the contents of your C: drive to demonstrate how easily access can be gained. He reported the bug to Avast when he discovered it in December 2015, and only released news of the flaw to the public after it was patched on Wednesday (Feb. 3). Avast antivirus users should make sure their installations of the software are up to date with version 2016.11.1.2253.