Avast's Secure Web Browser Was Anything But Safe

Antivirus software packages often include custom-built "secure" Web browsers to be used when navigating banking and shopping sites. But secure browsers can be more trouble than they're worth, as proved by Avast's own Avastium browser, which exposed users' computers to data theft.

Image: Volt Collection / Shutterstock

Image: Volt Collection / Shutterstock

While modifying Google's open-source Chromium browser into Avastium, Avast removed a safeguard that stopped a Web server from remotely accessing local (i.e., non-Internet) files or running local commands on a client's (i.e., your) browser. Without that safeguard, Chromium's Developer Tools made it possible for the Web server to remote run malicious JavaScript code in a client's browser.

Once a site containing malicious code — which could be embedded in an ad, iFrame or a number of other ways — was opened on a PC that happened to have Avast installed, an attacker controlling the malicious code could launch the Avastium browser on the client machine and use it to browse the computer's files — including passwords, bank statements, love letters, naughty pictures and so on.

MORE: Best Antivirus Protection for PC, Mac and Android

Most Web browsers can browse and view files (type "file:///C:/" into an address bar to see for yourself), but are only meant to do so locally, i.e. on the same computer or local network. Avast's mistake was that it allowed Avastium to do so across the Internet.

Since Avastium imports user profiles from Chrome when Avast's software is installed, all Chrome users are vulnerable to the attack, not just those who actively use Avastium. This flaw was discovered by Travis Ormandy, a Google security researcher who recently found flaws in other brands of antivirus software, including AVG, Comodo, Malwarebytes and Trend Micro.

Ormandy posted a proof-of-concept demonstration for the exploit online, which, if you have Avast software installed, will print out the contents of your C: drive to demonstrate how easily access can be gained. He reported the bug to Avast when he discovered it in December 2015, and only released news of the flaw to the public after it was patched on Wednesday (Feb. 3). Avast antivirus users should make sure their installations of the software are up to date with version 2016.11.1.2253.