Google Project Zero security researcher Tavis Ormandy has uncovered and disclosed flaws in anti-virus products based on Google’s Chromium browser offered by Avast, Comodo and Malwarebytes. Each of these flaws either permits attackers to run code on the computers of unsuspecting users or opens customers up to being spied upon.

Chromium is an open-source browser project upon which Google Chrome is based, the intention of the project was to provide a minimalistic web-browser with high security and lightweight configuration. It is used as the codebase for browsers released by other product vendors and in the case of Avast (from AVAST Software s.r.o.), Comodo (from Comodo Group, Inc.) and Malwarebytes (from Malwarebytes Corporation) it is the core for “secure” browser products.

Project Zero is the name of a team of security analysts employed by Google who spend their time spelunking through code to discover zero-day exploits. The project was announced on July 15, 2014 along with encouraging increased security across all of Google’s products and the use of SSL encryption. The discovery of the “Heartbleed” vulnerability in April 2014 became the inspiration to jump-start the efforts of the Project Zero team.

Avast patches Javascript exploit out of Avastium

When looking into Avastium, the Chromim-based software from Avast, Ormandy discovered what he described as “complicated” but easily allowed attackers to “read any file on the filesystem by clicking a link.” To complete the attack a hacker would need to craft a complex Javascript website that would then circumvent Avastium’s built-in security.

The issue was disclosed by Omandy on December 18, 2015 and Avast responded by patching the flaw yesterday, February 3.

Comodo patching bad plug-in behavior in Chromodo

As for Comodo’s Internet Security software and its Chromodo browser, Ormandy discovered that the new software replaced the users’ own Chrome installation—meaning that it would overwrite any security that had already been set up. Upon researching this behavior, Ormandy did not think highly of the software’s behavior saying, “all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices.”

However, as reported by eWeek, this fault was not with the Comodo browser itself but a plug-in that shipped with the software.

“Comodo is releasing an update of Chromodo [Feb. 3] without the add-on, removing any issues,” Charles Zinkowski, Comodo director of corporate communications, told eWeek. “and the update will go to all current Chromodo users as well.”

This issue was disclosed by Ormandy on January 21 and Comodo’s patch to fix the problem released yesterday.

Anti-Malware browser from Malwarebytes still waiting on a fix

The Anti-Malware browser from Malwarebytes, Ormandy disclosed February 2, could suffer from a man-in-the-middle (MitM) attack during updates. Due to the extreme freshness of the exploit disclosure, some of the information is unavailable to the public (in order to allow Malwarebytes to fix it).

According to Ormandy, the Anti-Malware browser uses an unencrypted HTTP channel to fetch its secure signature certificate (used to sign and verify updates) meaning that an attacker could intercept and modify the updates in transit. The worst case scenario, an attacker could pretend to be Malwarebytes and therefore bypass the built-in security to run arbitrary code on a user’s machine.

To fix this, Ormandy simply suggests that Malwarebytes use a secure connection (which is usually the Secure Sockets Layer on the web) to provide updates.

Malwarebytes CEO Marcin Kleczynski understood that this vulnerability was severe enough that he addressed it personally on his company’s blog. In the post he describes the exploit and mentions an upcoming fix, which may take 3-4 weeks to implement. Meanwhile, he said, “Consumers using the Premium version of Malwarebytes Anti-Malware should enable self-protection under settings to mitigate all of the reported vulnerabilities.”

“I’d also like to take this opportunity to apologize,” Kleczynski added. “While these things happen, they shouldn’t happen to our users.”

Photo via Pixabay

Consumer security and the modern-day update cycle

Chromium is a rapidly updated software codebase that requires constant attention to potential vulnerabilities and when it is forked new issues can be added by modifying the code. Although Google is always working to better harden its code, and runs periodic Bug Bounty programs, new exploits and holes are being found all the time.

Security software in particular is a common target for attackers since it often has higher privileges on a user’s system to do its job. Furthermore, users seeking a secure browser are also part of a population interested in privacy or higher security, which means they are more likely to have valuable information to protect.

As a result, vendors find themselves balancing customer security with release cycles. Each time Chromium’s base code changes to fix a potential vulnerability they must keep up (and that can be swift) and vendors also must stay on top of exploits potential in their own code to find them before the bad guys do.

Featured image credit: Photo via Michael Himbeault