Avast vulnerability

As per the AVulnerability checker tool in http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/ Avast is vulnerable…

Sedating the Watchdog: Abusing Security Products to Bypass Mitigations

tldr; design issues in various security products, such as anti-virus, make it significantly easier for threat actors to bypass exploit mitigations. In particular, we found a prevalent flaw where anti-virus products allocate memory with RWX permissions at a predictable address.

We released a tool that checks whether your computer is likely to be vulnerable to exploitable constant, RWX addresses. Download AVulnerabilityChecker here – https://github.com/BreakingMalware/AVulnerabilityChecker

Introduction
Back in March we disclosed a flaw in AVG which makes exploit-mitigation bypass significantly easier. Bypassing mitigations was possible due to allocation of memory with RWX permissions in a predictable address.

After we discovered this flaw to AVG we decided to check if other anti-virus products are vulnerable to similar issues. Indeed, we found similar design issues at a few other vendors and we have disclosed these issues to them.

Due to the prevalence of this issue, we can assume that this flaw resides in other intrusive applications such as application monitoring programs and other security products such as DLP.

Now, what is the protection against this threat?

Thanks…

(Sankaranarayanan)

::slight_smile: Where do you read that avast is vulnerable??
AVG is not AVAST…

As Avast user, I have checked the tool under Avast and found it vulnerable…

Reported to Avast.

Old news, it was already known

Besides, the tool doesn’t work correctly.

When I run it as instructed I get :

  • Please make sure at least two browser tabs are open before running the tool
  • Press any key to continue
  • I open my browser, open 4 tabs and press a key
  • In a flash I see “no browsers open” and the tool closes.

No… The tool works…

I first kept open tabs in ‘Slimjet’ browser, and then ran the tool… As you said, it disappeared in a flash…

I then first ran the tool, when it prompted for open tabs, I then opened 2 tabs in FF, then next as prompted closed FF, then opened Chrome & 2 tabs in it, the tool then reported vulnerable in chrome processes some PID’s…

I actually found this in http://www.theregister.co.uk/2015/12/11/anti_virus_trips_up_windows_defences/

Instead of checking the issue itself enSilo has put together a free checking utility called AVulnerabilityChecker which it has uploaded to GitHub.

Independent tests using the tool by Simon Edwards, technical director at Dennis Technology Labs, an experienced antivirus tester and chairman of the Anti-Malware Testing Standards Organization, suggest that products from Symantec and BitDefender (among others) might be vulnerable. Security products from Microsoft and others avoid the problem, according to preliminary testing.

“We used that vulnerability scanner to check 22 anti-malware products, including a lot that we regularly test,” Edwards told El Reg. “We found that 12 were ‘likely to be vulnerable.”

The tool does not work on my system.
It doesn’t matter if I first open the browser and multiple tabs or first run the tool and then open the browser and multiple tabs.

This CHIP link http://www.chip.de/downloads/AVulnerabilityChecker_86729921.html also ay be checked, which says, the tool is compatible with Chrome, Firefox and Internet Explorer only…

advantages few false positives Reliable results Open source Disadvantages only compatible with Chrome, Firefox and Internet Explorer Alternative recommendations description CHIP Conclusion CHIP Conclusion to AVulnerabilityChecker The check on the "AVulnerabilityChecker" is probably the easiest way to check your antivirus program on any gaps.

Michael Humpa | CHIP software editors

The tool works and as you can clearly see, Avast is not vulnerable.

http://screencast-o-matic.com/screenshots/u/Lh/1454337667036-29827.png

i also, re-checked now with browsers in reverse order, first tool, then Chrome 2 tabs, close chrome, open FF with 2 tabs, final confirmation, ‘Not Vulnerable

But, don’t know, why it happenned first time? A mystery…

Computer Gremlin at work. :slight_smile: