Google Project Zero researcher Tavis Ormandy has delved into security software offered by anti-virus firms and has found holes in three of their ‘secure’ browsers.
After recently exposing holes in products from Trend Micro and AVG, the bug hunter has recently gone public with three issues found in software offered by security firms Avast, Comodo and Malwarebytes that allow attackers to access unsuspecting users’ PCs.
It’s a similar story for Comodo’s Internet Security software and its Chromodo browser. When users install the software suite, their existing Chrome installation is replaced with Comodo’s own. It was meant to be “private,” but it wasn’t. When it’s executed, “all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices,” notes Ormandy.
While Chrome operates a same-origin policy, which ensures that only scripts from the same website can access from each other, Chromodo disabled that protection and left users open to having their private data sniffed by malevolent websites. However, eWeek reports that the fault wasn’t with the browser, but an add-on. Comodo director Charles Zinkowski says the company released a new version of the browser without the add-on on February 3rd, which has fixed the issue for all users.
In the case of Malwarebytes, Ormandy found that its Anti-Malware browser wasn’t downloading updates securely, which could leave users open to a man-in-the-middle attack. An attacker could mimic the company’s built-in checks and run their own code on a user’s machine. The issue was severe enough for Malwarebytes CEO Marcin Kleczynski to address it on the company blog, but it could take up to four weeks for them to fix it.
Google’s Project Zero discloses vulnerabilities from companies that use the Chromium browser to launch their own secure browsers. The browsers tend to ship alongside anti-virus software and the temptation for vendors is to overwrite users’ existing settings to better protect them. As you can see, those methods often disable protections within the browser, leaving some users more vulnerable than before they installed the security tool.
Latest posts by Edmondo Burr (see all)
- Saudi Linked Group Gave DUP $1/2M During Brexit - February 28, 2017
- Bomb Threats In U.S. Trigger Evacuation Of Jewish Centers - February 27, 2017
- Abu Sayyaf Beheads German Hostage Jurgen Kantner - February 27, 2017