Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on March 12, 2015, 07:14:45 PM
-
Using Avast with Web Shield enabled puts you at risk of the FREAK vulnerablity
This issue appears to have been resolved as of version 2015.10.2.2214.
If you have disabled your Web Shield, please follow the steps below to re-activate it.
- Open the Avast user interface
(http://i.imgur.com/QTeSblA.png)
- Click Turn On text
- Avast should turn green. Proceed to the next step
(http://i.imgur.com/kBS0W6h.png)
- Click on Settings, and select Update
(http://i.imgur.com/RqAfXBE.png)
- Hit Update in both the Virus Definitions and the Program sections, and click OK
(http://i.imgur.com/ho6gYtZ.png)
- Avast may ask you to reboot once complete! Save all your tasks and reboot Windows
Note: I have still not confirmed whether the Mail Shield is vulnerable. I would like to invite an Avast representative to answer this question.
What can I do now?
Confirm if your browser is still vulnerable: https://freakattack.com/ (https://freakattack.com/)
If it still shows a red message, confirm your Avast version is 2015.10.2.2214. If it is, run Windows Update, manually update your browsers, or try to use a known safe browser.
As stated by FreakAttack's website:
If you run a server …
You should immediately disable support for TLS export cipher suites. While you’re at it, you should also disable other cipher suites that are known to be insecure and enable forward secrecy. For instructions on how to secure popular HTTPS server software, we recommend Mozilla’s security configuration guide and their SSL configuration generator. We also recommend testing your configuration with the Qualys SSL Labs SSL Server Test tool.
If you use a browser …
Make sure you have the most recent version of your browser installed, and check for updates frequently. Updates that fix the FREAK attack should be available for all major browsers soon.
If you’re a sysadmin or developer …
Make sure any TLS libraries you use are up to date. Unpatched OpenSSL, Microsoft Schannel, and Apple SecureTransport all suffer from the vulnerability. Note that these libraries are used internally by many other programs, such as wget and curl. You also need to ensure that your software does not offer export cipher suites, even as a last resort, since they can be exploited even if the TLS library is patched. We have provided tools for software developers that may be helpful for testing.
As usual, stay away from sites you don't know. Employ common sense when browsing the Internet. only visit known safe, secure websites, always type in the full URL of your financial institutes instead of using connecting links from other websites and employ a reputable third-party payment gateway, such as PayPal (https://www.paypal.com/ (https://www.paypal.com/)) to handle your transactions instead of posting your credit card details.
Above all else, Keep your Avast software and Virus Definitions updated at all times!.
If you have any problems, please shoot a message below, I will try my best to respond as quickly as possible.
-
Intriguing as my Avast set up has me secure. Also if you disable webshield you have removed your first and main line of defence
Do you have https scanning enabled and are you using the lates version
-
It's true that Web Shield does a good job with protecting users against malicious websites and infected downloaded files, however, the FREAK vulnerability allows attackers to intercept all website communications, both HTTP and HTTPS.
More information can be found here: https://freakattack.com (https://freakattack.com) and here https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204)
-
I have just edited my previous post. What version are you running ?
-
Firstly 2015.10.0.2208 isn't the latest Program update, so I would start by updating the program to 2015.10.2.2214.
-
My versions, as posted in the opening post, are 25.10.0.2208 and VDV 150312-1
My Avast user interface has not told me that it is out of date, either.
(http://i.imgur.com/OgP7oxB.png)
-
I shall force an update and see what happens.
-
You only have to look at the stickied posts at the top of the forum to see you're on an outdated version.
-
The topic is wrong.
It is not avast that is vulnerable, but browser communication.
For several browsers there are already patches and for others there are solutions.
For a start, don't allow ssl but only tsl.
-
Noted and updated to reflect that.
-
After testing I have confirmed that it has been patched as of 2015.10.2.2214
I have reflected the opening post to address users still experiencing the issue.
-
Thanks for testing and the confirmation.