Google Engineer Finds Security Issues With Three ‘Secure’ Browsers

Google Project Zero researcher Tavis Ormandy has delved into security software offered by anti-virus firms and has found holes in three of their ‘secure’ browsers.
Engadget reports:
After recently exposing holes in products fromTrend Micro and AVG, the bug hunter has recently gone public with three issues found in software offered by security firms Avast,Comodo and Malwarebytes that allow attackers to access unsuspecting users’ PCs.
For Avast, Ormandy identified that its Avastium browser (a fork of Google Chromium) allowed an attacker to “read any file on the filesystem by clicking a link.” The exploit involved using a specially-crafted JavaScript web page that could bypass built-in checks and potentially allow a malicious party to read cookies and email. The issue was first disclosed on December 8th, but Avast released a patched version of its browser on February 3rd.
It’s a similar story for Comodo’s Internet Security software and its Chromodo browser. When users install the software suite, their existing Chrome installation is replaced with Comodo’s own. It was meant to be “private,” but it wasn’t. When it’s executed, “all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices,” notes Ormandy.
In the case of Malwarebytes, Ormandy found that its Anti-Malware browser wasn’t downloading updates securely, which could leave users open to a man-in-the-middle attack. An attacker could mimic the company’s built-in checks and run their own code on a user’s machine. The issue was severe enough for Malwarebytes CEO Marcin Kleczynskito address it on the company blog, but it could take up to four weeks for them to fix it.While Chrome operates a same-origin policy, which ensures that only scripts from the same website can access from each other, Chromodo disabled that protection and left users open to having their private data sniffed by malevolent websites. However, eWeek reports that the fault wasn’t with the browser, but an add-on. Comodo director Charles Zinkowski says the company released a new version of the browser without the add-on on February 3rd, which has fixed the issue for all users.
Google’s Project Zero discloses vulnerabilities from companies that use the Chromium browser to launch their own secure browsers. The browsers tend to ship alongside anti-virus software and the temptation for vendors is to overwrite users’ existing settings to better protect them. As you can see, those methods often disable protections within the browser, leaving some users more vulnerable than before they installed the security tool.
Share on Google Plus

Contact Us:

Please Note: We are not agree with any content/speech which could be disliked, hateful or undesired. We publish it only for your information.