13 votes

The main Avast antivirus service contained a custom JavaScript interpreter, enabling wormable pre-auth RCEs. Avast has now disabled the emulator in response to a vulnerability report

6 comments

  1. [6]
    Deimos
    Link
    Here's the tweet from Avast announcing they're disabling it: https://twitter.com/avast_antivirus/status/1237685343580753925 And Tavis Ormandy's response:...

    Here's the tweet from Avast announcing they're disabling it: https://twitter.com/avast_antivirus/status/1237685343580753925

    And Tavis Ormandy's response: https://twitter.com/taviso/status/1237745571009409029

    4 votes
    1. [5]
      ThatFanficGuy
      Link Parent
      Tavis theorizes that considering the public will just "pick the winner" when it comes to choosing an antivirus, scoring "even a single point" would not not make sense for Avast. But... huh?...

      Tavis theorizes that considering the public will just "pick the winner" when it comes to choosing an antivirus, scoring "even a single point" would not not make sense for Avast. But... huh? Certainly not now that it's another point in their favor.

      Why make it in the first place? What sort of an application could they have made out of an open JS interpreter?

      1 vote
      1. [4]
        Deimos
        Link Parent
        I'm not sure what you're referring to, what's the "pick the winner" and "even a single point" stuff coming from?

        I'm not sure what you're referring to, what's the "pick the winner" and "even a single point" stuff coming from?

        3 votes
        1. [3]
          ThatFanficGuy
          Link Parent
          This tweet (replicate image):

          This tweet (replicate image):

          I hear from informal chats there is brutal competition to win industry detection metrics, because customers will just pick the winner. Adding crazy features to score a single point wouldn't be questioned, as nobody picks the product with the smallest attack surface. 🤷🏻‍♂️

          4 votes
          1. [2]
            Deimos
            Link Parent
            Ah, thanks. I think that must be talking about some sort of "antivirus comparison" where having certain features lets you rank higher, and people just take the #1 ranked antivirus without really...

            Ah, thanks. I think that must be talking about some sort of "antivirus comparison" where having certain features lets you rank higher, and people just take the #1 ranked antivirus without really understanding what it means.

            So maybe there's some kind of improved ranking for having "protection against javascript exploits" or something like that, where they need an interpreter to be able to detect malicious-looking javascript.

            2 votes
            1. ThatFanficGuy
              Link Parent
              Which... directly executes said malicious code? It's unsandboxed, do keep in mind.

              Which... directly executes said malicious code?

              It's unsandboxed, do keep in mind.

              2 votes