Follow

I know that everybody is tired of me talking about but this time it's a beefy RCE vulnerability. Avast Secure Browser could be trivially taken over by any website, allowing even execution of arbitrary OS commands.

palant.de/2020/01/13/pwning-av

That's the actual research I was conducting when I hit their privacy issues. It's a bit weird that I kept talking about their data collection practices while the initial security research had to stay secret until the deadline.

Big thanks to @yarlob@twitter.com for the important hint here!

Show thread

notified me that they resolved CVE-2019-18894 yesterday. I can confirm the issue being resolved even though the displayed application release date doesn't change. That's good news, I really don't enjoy dropping 0-days...

Show thread

@WPalant AVG went already down, now also Avast???
What's up with Windows Antivirus makers? I guess that Windows Defender ate their chunk of the market, right?

@Genstar I don't think that this is due to Windows Defender. They rather never had strong incentives to invest in security. Some did nevertheless, most never really cared. And since security researchers rarely look at the "web protection" components of antivirus applications, these are often problematic to say the least.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.