Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Google Discloses Flaws in Avast, Comodo and Malwarebytes Products

    By
    Sean Michael Kerner
    -
    February 4, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Google exposes flaws

      The Google Project Zero security research effort publicly disclosed multiple security flaws in products from big antivirus vendors, such as Avast, Comodo and Malawarebytes. Google is targeting security vendors that have forked the open-source Chromium Web browser to build their own secure browsers.

      For Avast, Google security researcher Tavis Ormandy reported that the Avastium browser, which is based on Google’s open-source Chromium project, is at risk from a remote attacker.

      “This one is complicated, but allows an attacker to read any file on the filesystem by clicking a link,” Ormandy wrote in a bug report. “You don’t even have to know the name or path of the file, because you can also retrieve directory listings using this attack.”

      Ormandy first reported the issue to Avast on Dec. 18, and the company released a patched version Feb. 3 as part of the Avast 2016.11.1.2253 update.

      Security vendor Comodo also has sparked the ire of Ormandy for its fork of Chromium, dubbed Chromodo.

      In his bug report on Comodo, Ormandy wrote that Chromodo “disables all Web security.” He called out the fact that Chromodo disables Chromium’s Same Origin Policy, which is a key security feature. Same Origin Policy has been part of every modern Web browser since Netscape 2.0 and does not enable scripts from one page to run on another.

      The vulnerability was not with Comodo or the Chromodo browser itself, but rather with an add-on, said Charles Zinkowski, Comodo director of corporate communications. The vulnerability has been fixed and addressed, he said.

      “Comodo is releasing an update of Chromodo [Feb. 3] without the add-on, removing any issues, and the update will go to all current Chromodo users as well,” Zinkowski told eWEEK.

      In general, software is always being updated, patched, fixed, addressed, improved—it goes hand in hand with any development cycle, he said, adding that what is critical in software development is how companies address an issue if a certain vulnerability is found—ensuring it never puts the customer at risk.

      Jeremiah Grossman, founder of WhiteHat Security, is not surprised that Google researchers have found flaws in security vendors’ forks of Chromium. WhiteHat has, in the past, attempted to run its own Chromium fork, called Aviator. WhiteHat stopped supporting Aviator in January 2015. Grossman didn’t understand why Comodo would choose to disable the Same Origin Policy, and he said it’s not an easy technology to disable.

      That said, Grossman noted that building and supporting a Chromium-based browser is not easy. Google patches and updates Chromium rapidly, and that makes it challenging for any fork to keep pace. “If you just fork the Chromium browser, and added zero features but just try to keep pace, it’s very difficult and very expensive,” Grossman said. “You have to build an update infrastructure, and we were budgeting between $300,000 and $500,000 in developer costs per year, just to keep pace.”

      Google’s Ormandy also set his sights on the Malwarebytes antivirus platform. Among the issues Ormandy publicly disclosed is the fact that Malwarebytes updates are not downloaded by users over a secure channel. “Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack,” Ormandy warned.

      Malwarebytes has issued its own advisory on the issue and is pledging to provide users with a patched update.

      “Unfortunately, vulnerabilities are the harsh reality of software development,” Marcin Kleczynski, Malwarebytes CEO, wrote. “In fact, this year alone, our researchers have found and reported several vulnerabilities with other software.”

      WhiteHat’s Grossman isn’t sympathetic to the antivirus vendors and doesn’t doubt that Google will disclose more vulnerabilities in vendor platforms.

      “People are paying good money to be left insecure; that’s really what it comes down to,” Grossman said. “Sorry if that’s just too sharp a point, but that’s just what it is.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×