End result: visiting any website with Avast Secure Browser could result in malware being installed on your system without any user interaction. This can be used to gain full control of Avast Secure Browser in Banking Mode and even execute local applications with user’s privileges. This communication interface has a vulnerability in the command starting Banking Mode which allows injecting arbitrary command line flags ( CVE-2019-18894). This JavaScript code, like any browser extension with access to localhost, could also communicate with the Avast Antivirus application. Once there, they could control pretty much all aspects of the browser, read out any data known to it, spy on the user as they surf the web and modify any websites. Websites could inject their JavaScript code into the extension context ( CVE-2019-18893). As a result, a vulnerability in this extension had far reaching consequences. The Video Downloader extension explicitly chose to disable the existing security mechanisms however. In fact, I’m not going to write about the Avast Passwords issues I reported to Avast – nothing special here, yet another password manager that made several of the usual mistakes and put your data at risk.īrowser vendors put a significant effort into limiting the attack surface of browser extensions. Given how deeply this product is compromised on another level, I did not feel that there was a point in making it more secure. Note: I did not finish my investigation of the other extensions which are part of the Avast Secure Browser. Update (): Avast notified me that the second issue has been resolved in an update yesterday, I can confirm the application version not being vulnerable any more after an update. The second issue remains unresolved at the time of writing. The first issue was resolved in Video Downloader 1.5, released at some point in October 2019. An additional vulnerability then allowed it to take over your system as well ( CVE-2019-18894). ![]() Today we’ll look at the remarkable Video Downloader extension which essentially allowed any website to take over the browser completely ( CVE-2019-18893). Now putting eleven extensions of questionable quality into your “secure” browser might not be the best idea. Avast Secure Browser has eleven custom extensions, AVG Secure Browser has eight. ![]() Their products send a clear message: ditch your current browser and use Avast Secure Browser (or AVG Secure Browser as AVG users know it) which is better in all respects.Īvast Secure Browser is based on Chromium and its most noticeable difference are the numerous built-in browser extensions, usually not even visible in the list of installed extensions (meaning that they cannot be disabled by regular means). ![]() So Avast decided to bring out their own browser with the humble name Avast Secure Browser. Users are often hard to convince that Avast browser extensions are good for them and should be activated in their browser of choice. Avast took an interesting approach when integrating their antivirus product with web browsers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |