Skip to main content

Avast disables JavaScript engine in its antivirus following major bug

(Image credit: Shutterstock)

Avast has decided to disable a major comportment of its antivirus software after a security researcher discovered a dangerous vulnerability that could put all of the company's users at risk.

The security flaw, which was first discovered by Google's Tavis Ormandy, was found in the company's JavaScript engine. This internal component of Avast antivirus allows for JavaScript code to be analyzed for malware before it's allowed to execute in browsers or email clients.

In a GitHub page containing the tool he used to analyze the company's antivirus software, Ormandy explained just how serious the security flaw is, saying:

"Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers."

JavaScript engine security flaw

Exploiting the kind of bug that Ormandy discovered in Avast's JavaScript engine is actually quite easy and an attacker would only need to send a user a malicious JavaScript or Windows Script Host file via email to do so.

Due to the fact that most antivirus software has system level access, once Avast antivirus downloaded one of these malicious files into its own custom engine, an attacker could easily execute malicious operations on a user's computer. For instance, if an attacker exploited this security flaw, they would then have the ability to install malware on an Avast user's device.

Although the company has been aware of the bug for almost a week, it has not yet released a patch to fix the issue and instead, it decided to disable its antivirus' ability to scan JavaScript code until one is ready.

As of now, there is no news as to when a patch will be ready but Avast did reach out to ZDNet with the following comment, which reads:

"Last Wednesday, March 4, Google vulnerability researcher Tavis Ormandy reported a vulnerability to us affecting one of our emulators. The vulnerability could have potentially been abused to carry out remote code execution. On March 9, he released a tool to greatly simplify vulnerability analysis in the emulator. We have fixed this by disabling the emulator, to ensure our hundreds of millions of users are protected from any attacks. This won't affect the functionality of our AV product, which is based on multiple security layers."

Via ZDNet

Anthony Spadafora

After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal and TechRadar. He has been a tech enthusiast for as long as he can remember and has spent countless hours researching and tinkering with PCs, mobile phones and game consoles.