A vulnerability ended up mitigated in Avast’s SafeZone tool that allowed attackers to read any file on the system by getting the victim to click on a link.
SafeZone, also known as Avastium, is a Chromium fork designed to protect Avast users’ data when they shop or bank online. The tool is in Avast’s Premier, Internet Security and Pro Antivirus products.
Unlike Chromium, which only allows WebSafe URLs on the command line, SafeZone allowed any URL without restriction, said Google researcher Tavis Ormandy who discovered the flaw.
By removing this security check, the Avast tool permitted attackers to gain additional privileges and conduct various actions on the system.
If an attacker tricked a victim into visiting a malicious URL, they could launch Avastium and gain complete control of the application. Ormandy said an attack could have worked even if the victim had never used Avastium.
“[The vulnerability] allows an attacker to read any file on the filesystem by clicking a link,” Ormandy said in a blog post. “You don’t even have to know the name or path of the file, because you can also retrieve directory listings using this attack. Additionally, you can send arbitrary ‘authenticated’ HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on.”
The flaw first went out to Avast in mid December and the vendor released a temporary mitigation on December 28. A full patch went out February 3 with the release of Avast 2016 build 2016.11.1.2253.