Google engineer finds holes in three 'safe' browsers

Google engineer finds holes in three 'secure' browsers

It seems no anti-virus or safety software program is protected from Google Challenge Zero researcher Tavis Ormandy. After just lately exposing holes in merchandise from Development Micro and AVG, the bug hunter has lately gone public with three points present in software program provided by safety companies Avast, Comodo and Malwarebytes that permit attackers to entry unsuspecting customers’ PCs.

For Avast, Ormandy recognized that its Avastium browser (a fork of Google Chromium) allowed an attacker to “learn any file on the filesystem by clicking a hyperlink.” The exploit concerned utilizing a specifically-crafted JavaScript net web page that would bypass constructed-in checks and probably permit a malicious get together to learn cookies and e mail. The difficulty was first disclosed on December eighth, however Avast launched a patched model of its browser on February third.

It is a comparable story for Comodo’s Web Safety software program and its Chromodo browser. When customers set up the software program suite, their present Chrome set up is changed with Comodo’s personal. It was meant to be “personal,” nevertheless it wasn’t. When it is executed, “all shortcuts are changed with Chromodo hyperlinks and all settings, cookies, and so forth are imported from Chrome. Additionally they hijack DNS settings, amongst different shady practices,” notes Ormandy.

Whereas Chrome operates a similar-origin coverage, which ensures that solely scripts from the identical web site can entry from one another, Chromodo disabled that safety and left customers open to having their personal knowledge sniffed by malevolent web sites. Nevertheless, eWeek stories that the fault wasn’t with the browser, however an add-on. Comodo director Charles Zinkowski says the corporate launched a brand new model of the browser with out the add-on on February third, which has fastened the difficulty for all customers.

Within the case of Malwarebytes, Ormandy discovered that its Anti-Malware browser wasn’t downloading updates securely, which might depart customers open to a person-in-the-center assault. An attacker might exchange the corporate’s constructed-in checks and run their very own code on a consumer’s machine. The difficulty was extreme sufficient for Malwarebytes CEO Marcin Kleczynski to deal with it on the corporate weblog, nevertheless it might take as much as 4 weeks for them to repair it.

Google’s Challenge Zero discloses vulnerabilities from corporations that use the Chromium browser to launch their very own safe browsers. The browsers are likely to ship alongside anti-virus software program and the temptation for distributors is to overwrite customers’ present settings to raised shield them. As you possibly can see, these strategies typically disable protections inside the browser, leaving some customers extra weak than earlier than they put in the safety device.

Protection: eWeek