Google engineer and serial bug finder finds holes in Avastium, Chromodo and Malwarebytes anti-malware browsers
Serial bug finder, Tavis Ormandy is at his best again. After exposing bugs and vulnerabilities in Trend Micro and AVG products, Ormandy has now found three issues found in software offered by security firms Avast, Comodo and Malwarebytes. According the Ormandy all bugs are different and can allow a potential hacker access to victims PC through the three ‘secure’ browsers offered by these AV makers bundled with their software.
AVAST
During his research, Ormandy found out that Avast’s Avastium browser, which is a fork of Google Chromium, allowed a potential attacker to “read any file on the filesystem by clicking a link.” Ormandy says that the exploit involves using a specially-crafted JavaScript web page that could bypass built-in checks and potentially allow a malicious party to read cookies and email.
Ormandy said that he had informed Avast on December 8th, but Avast released a patched version of its Avastium browser only on February 3rd.
Comodo
When users install the Comodo software suite, it replaces user’s Chrome browser installation with Comodo’s own browser called Chromodo. Ormandy states that when Chromodo is installed “all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices,” notes Ormandy.
While Chrome operates a same-origin policy, which ensures that only scripts from the same website can access from each other, Chromodo disabled that protection and left users open to having their private data sniffed by malware laden websites.
Comodo has said that the fault was not in the browser but in an add-on. Comodo director Charles Zinkowski told eWeek that the company released a new version of the browser without the add-on on February 3rd, which has fixed the issue for all users.
Malwarebytes Anti-Malware browser
In the case of Malwarebytes, Ormandy found that its Anti-Malware browser wasn’t downloading updates securely, which could leave users open to a man-in-the-middle attack. An attacker could mimic the company’s built-in checks and run their own code on a user’s machine.
Malwarebytes CEO Marcin Kleczynsk stated in a blogpost that they acknowledges the bugs found out by Ormandy and were in testing phase for the patch. The patch would be released in three to four weeks states the blog.
If you have any of the above browsers installed on your PC/laptop, make sure you either install the latest version or patch, or use a different browser till the company issues a patch as in case of Malwarebytes.
