Avast was vulnerable to malicious HTTPS connections. One of Google’s security experts found a zero-day exploit inside the Avast antivirus, which the company has recently patched.
The researcher is Tavis Ormandy, one of Google’s Project Zero engineers, the same man that discovered a similar zero-day exploit in Kaspersky’s antivirus exactly a month ago.
According to Ormandy’s research, the bug manifested itself when users would access Web pages protected through HTTPS connections.
Avast was performing a “legal” MitM for SSL connections
Because the Avast antivirus would tap into encrypted traffic so it could scan for threats but was using a faulty method for parsing X.509 certificates, this would have allowed attackers (if aware of the issue) to execute code on the users’ computer.
The only condition was that users would access a malicious HTTPS website, which is not such a far-fetched scenario.
Ormandy released a proof-of-concept on Project Zero’s Google Group after the antivirus company issued a fix.
Kaspersky, FireEye, and now Avast
This is the third antivirus solution that we’ve seen with a zero-day vulnerability in the past 30 days.
We previously reported on Kaspersky, which included a zero-day bug that allowed an attacker to easily infiltrate the victim’s computer, and gain system-level privileges, allowing him to carry on any kind of attacks without restrictions.
This was followed by FireEye’s antivirus engine, which had a zero-day that provided unauthorized remote root file system access, flaw found in a PHP script which runs on a Web-facing Apache server.
None was exploited in the wild, and neither does the Avast bug seem to have been.
Off-topic: If you’re looking for advice on what security product to use, in the discussion that followed on Twitter after Avast announcement, Ormandy surprisingly recommended Windows Defender as a good solution to use.
We have contacted Avast for comments.
UPDATE: Avast says: “We have released a fix via virus definition updates last week. There is no action required by the user.”