Avast disabled a component in its suite that ironically posed a significant risk to it better safety.
Ο κατασκευαστής λογισμικού απενεργοποίησε τον JavaScript interpreter στην εργαλειοθήκη της, όταν ο Tavis Ormandy από το Google Project Zero και οι συνεργάτες του ειδοποίησαν την company to "collect" imperfections in the code.
According to Avast, Ormandy discovered one vulnerability that allowed remote code execution in the software, the details of which were not publicly disclosed.
Five days later, Google released a shell that could give more information about Avast JavaScript vulnerabilities to anyone interested in evaluating the antivirus suite.
He also revealed that if the attackers were able to exploit any holes in Avast's JS on the victim computer, they could run malicious applications on that computer with system-admin privileges.
It should be noted that Ormandy did not reveal specifically errorthe.
A few days after its release tooly analysis, the company chose to remove the JavaScript emulator entirely. According to the company, its removal will not significantly affect the suite's ability to detect malware. The company's quick action was applauded by Ormandy.
A praise from the security community for Avast has been something very difficult lately. After the data sale scandal, the company found itself in the spotlight again when it was revealed that the AntiTrack tool contained errors which could allow man-in-the-middle attacks to monitor supposedly secure connections.