The Google Project Zero security research effort publicly disclosed multiple security flaws in products from big antivirus vendors, such as Avast, Comodo and Malawarebytes. Google is targeting security vendors that have forked the open-source Chromium Web browser to build their own secure browsers.
For Avast, Google security researcher Tavis Ormandy reported that the Avastium browser, which is based on Google’s open-source Chromium project, is at risk from a remote attacker.
“This one is complicated, but allows an attacker to read any file on the filesystem by clicking a link,” Ormandy wrote in a bug report. “You don’t even have to know the name or path of the file, because you can also retrieve directory listings using this attack.”
Ormandy first reported the issue to Avast on Dec. 18, and the company released a patched version Feb. 3 as part of the Avast 2016.11.1.2253 update.
Security vendor Comodo also has sparked the ire of Ormandy for its fork of Chromium, dubbed Chromodo.
In his bug report on Comodo, Ormandy wrote that Chromodo “disables all Web security.” He called out the fact that Chromodo disables Chromium’s Same Origin Policy, which is a key security feature. Same Origin Policy has been part of every modern Web browser since Netscape 2.0 and does not enable scripts from one page to run on another.
The vulnerability was not with Comodo or the Chromodo browser itself, but rather with an add-on, said Charles Zinkowski, Comodo director of corporate communications. The vulnerability has been fixed and addressed, he said.
“Comodo is releasing an update of Chromodo [Feb. 3] without the add-on, removing any issues, and the update will go to all current Chromodo users as well,” Zinkowski told eWEEK.
In general, software is always being updated, patched, fixed, addressed, improved—it goes hand in hand with any development cycle, he said, adding that what is critical in software development is how companies address an issue if a certain vulnerability is found—ensuring it never puts the customer at risk.
Jeremiah Grossman, founder of WhiteHat Security, is not surprised that Google researchers have found flaws in security vendors’ forks of Chromium. WhiteHat has, in the past, attempted to run its own Chromium fork, called Aviator. WhiteHat stopped supporting Aviator in January 2015. Grossman didn’t understand why Comodo would choose to disable the Same Origin Policy, and he said it’s not an easy technology to disable.
That said, Grossman noted that building and supporting a Chromium-based browser is not easy. Google patches and updates Chromium rapidly, and that makes it challenging for any fork to keep pace. “If you just fork the Chromium browser, and added zero features but just try to keep pace, it’s very difficult and very expensive,” Grossman said. “You have to build an update infrastructure, and we were budgeting between $300,000 and $500,000 in developer costs per year, just to keep pace.”
Google’s Ormandy also set his sights on the Malwarebytes antivirus platform. Among the issues Ormandy publicly disclosed is the fact that Malwarebytes updates are not downloaded by users over a secure channel. “Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack,” Ormandy warned.
Malwarebytes has issued its own advisory on the issue and is pledging to provide users with a patched update.
“Unfortunately, vulnerabilities are the harsh reality of software development,” Marcin Kleczynski, Malwarebytes CEO, wrote. “In fact, this year alone, our researchers have found and reported several vulnerabilities with other software.”
WhiteHat’s Grossman isn’t sympathetic to the antivirus vendors and doesn’t doubt that Google will disclose more vulnerabilities in vendor platforms.
“People are paying good money to be left insecure; that’s really what it comes down to,” Grossman said. “Sorry if that’s just too sharp a point, but that’s just what it is.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.