Security vendor Avast has patched a dangerous vulnerability in its SafeZone protected browsing tool which researchers claimed could allow attackers to compromise secure sessions like online banking.
SafeZone—also known as Avastium—is in fact a fork of the Chromium browser bundled with the firm’s paid AV software packages, and designed to keep users safe from threats when shopping or banking online.
However, Google’s much feted Project Zero researcher Tavis Ormandy informed the vendor back in December of a new flaw in the tool.
“This one is complicated, but allows an attacker to read any file on the filesystem by clicking a link. You don't even have to know the name or path of the file, because you can also retrieve directory listings using this attack,” he explained in a post.
“Additionally, you can send arbitrary *authenticated* HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on.”
What’s more, although the attack relies on SafeZone to work, the victim doesn’t actually have to be using it to be successfully attacked, because their profile is automatically imported from Chrome on startup, Ormandy claimed.
Avast patched the tool in a new release of its Avast 2016 product, (build number 2016.11.1.2253), which now also includes extra phishing protection, and an improved Fixed Pay functionality.
Avast is just one of many security vendors whose products Ormandy has found security holes in.
Trend Micro, FireEye and Kaspersky Lab and many others have been called out by the Project Zero team for security issues.
Most recently, Ormandy went public with vulnerabilities in Malwarebytes products after the 90-day patch window expired without a full fix for the issues.
CEO and founder of the company, Marcin Kleczynski, said the firm was working on a patch which should be ready within the month.