1) Avast Secure Browser did everything in their power to maximize the attack surface. The attack worked because two security mechanisms were explicitly disabled for no good reason. Arbitrary code execution from any website. 2/5
2) McAfee WebAdvisor is sloppy when handling HTML code, the browser extension is full of potential XSS vulnerabilities. One of those was exploitable, turned out that even CSP won't always save you then. Administrator privileges from any website. 3/5
All of that without any fancy buffer overflows or such, merely abusing existing application logic. Could it be that antivirus vendors focused so much on hardening their binary code that they forgot the low-hanging fruit? And is it really hardened?
To be continued… 5/5
A Mastodon instance for info/cyber security-minded people.