Avast disables JavaScript engine in its antivirus following major bug

(Image credit: Shutterstock)

Avast has decided to disable a major comportment of its antivirus software after a security researcher discovered a dangerous vulnerability that could put all of the company's users at risk.

The security flaw, which was first discovered by Google's Tavis Ormandy, was found in the company's JavaScript engine. This internal component of Avast antivirus allows for JavaScript code to be analyzed for malware before it's allowed to execute in browsers or email clients.

In a GitHub page containing the tool he used to analyze the company's antivirus software, Ormandy explained just how serious the security flaw is, saying:

"Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers."

JavaScript engine security flaw

Exploiting the kind of bug that Ormandy discovered in Avast's JavaScript engine is actually quite easy and an attacker would only need to send a user a malicious JavaScript or Windows Script Host file via email to do so.

Due to the fact that most antivirus software has system level access, once Avast antivirus downloaded one of these malicious files into its own custom engine, an attacker could easily execute malicious operations on a user's computer. For instance, if an attacker exploited this security flaw, they would then have the ability to install malware on an Avast user's device.

Although the company has been aware of the bug for almost a week, it has not yet released a patch to fix the issue and instead, it decided to disable its antivirus' ability to scan JavaScript code until one is ready.

As of now, there is no news as to when a patch will be ready but Avast did reach out to ZDNet with the following comment, which reads:

"Last Wednesday, March 4, Google vulnerability researcher Tavis Ormandy reported a vulnerability to us affecting one of our emulators. The vulnerability could have potentially been abused to carry out remote code execution. On March 9, he released a tool to greatly simplify vulnerability analysis in the emulator. We have fixed this by disabling the emulator, to ensure our hundreds of millions of users are protected from any attacks. This won't affect the functionality of our AV product, which is based on multiple security layers."

Via ZDNet

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.