The flaw was discovered this week by Google Project Zero researcher Tavis Ormandy. Project Zero aims to find potential exploits in software packages and get them fixed before hackers discover them.
Avastium is based on Chromium, the open-source browser engine originally developed by Google for Chrome but now available for everyone. Avast modified a key security feature in Chromium, removing the protection it offers and exposing the user’s filesystem to the Internet.
Ormandy discovered that the browser starts a server on the user’s computer that can be accessed over the Internet. Most of the commands aren’t dangerous but one of them, used to open a URL in Avastium, proved more interesting.
Many Internet users will only notice the “http://” protocol but Chromium supports many others. Opening a file stored locally, such as a downloaded PDF document, uses the “file://” protocol to signal that it should be loaded from the computer rather than the Internet.
Usually, these protocols cannot be specified from the command line. Avast had removed this protection though, so an attacker could remotely send commands to the browser forcing it to load and retrieve files from the user’s computer.
Ormandy built a working prototype that displays the contents of the C:/ drive to any hacker that asks for it. He explained what the exploit could provide hackers with access to: “If an Avast user using *any* web browser visits an attacker controlled URL, he can launch Avastium and take complete control of it; reading files, cookies, passwords, everything. He can even take control of authenticated sessions and read email, interact with online banking, etc.”
The bug was first reported to Avast on December 18. The company responded with a temporary fix to intercept any hazardous command and followed-up with a full patch this Wednesday.
The flaw demonstrates that even companies who claim to make “secure” products can still end up with critical vulnerabilities in their code. Avast isn’t the first antivirus firm to have to patch up its own web browser. This week, Ormandy also revealed details of a similar bug in Chromodo, Comodo’s browser that comes shipped with its suite of security-branded products.
