Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: willfarnaby on June 09, 2006, 11:40:12 AM

Title: WHY the Security Hole in AVAST?
Post by: willfarnaby on June 09, 2006, 11:40:12 AM
Why on earth does C:\Program Files\Alwil Software\Avast4\DATA and its contents grant Full Control security permission to Everyone ?!

Is their some obscure reason for this bizarre insecurity?

Title: Re: WHY the Security Hole in AVAST?
Post by: Vlk on June 09, 2006, 11:52:14 AM
Could you please elaborate a bit more why you think this is a "security hole" (or even "bizarre insecurity")?

Thanks :)
Vlk
Title: Re: WHY the Security Hole in AVAST?
Post by: willfarnaby on June 09, 2006, 12:21:54 PM
Bizarre in the sense that, AFAIK, it shouldn't be necessary. For example, I've installed many, many applications (consumer, for development, etc.) and can't recall, at the moment, any others even involving the Everyone role, let alone granting it a full set of permissions.

So, what is the rationale for the .../DATA directory's security assignments?
Can I remove Everyone?
Does a member of the User group need write permission?
If so, why isn't each user's user.dir / isolated storage used instead of opening up the location under Program Files?
Title: Re: WHY the Security Hole in AVAST?
Post by: Lisandro on June 09, 2006, 01:42:53 PM
Some antivirus (like ClamWin or AVG) use the Documents & Settings folder (personal profile) to store files that need to be written by common users (I suppose).
Title: Re: WHY the Security Hole in AVAST?
Post by: wendy k. walker on June 14, 2006, 05:35:00 AM
OK, so did anyone ever figure out if that is actually a big security hole, or if it is anywhere near being a bizarre insecurity?

♥ Wendy
Title: Re: WHY the Security Hole in AVAST?
Post by: avvidro on June 14, 2006, 06:49:36 AM
What!? Excuse my sincerity, but you asked.

The security hole in giving full control to everyone  to Avast folders can be exploited by malicious users with no privileges at all to remove files or replace them with malwares, escalation of privileges and so on.

If the info posted by Wendy is true, the bizarre could be how easily this issue passed by two Avast evangelists without apparent fireing the red alert in the comunity.
Title: Re: WHY the Security Hole in AVAST?
Post by: RejZoR on June 14, 2006, 09:56:36 AM
Like it matters? I mean we all run in Admin mode? What difference does it make?
Title: Re: WHY the Security Hole in AVAST?
Post by: kubecj on June 14, 2006, 11:32:38 AM
avvidro: What escalation of privileges in DATA folder? What malware replacements in DATA folder? Etc...
Title: Re: WHY the Security Hole in AVAST?
Post by: wendy k. walker on June 15, 2006, 03:46:59 AM
OK so now I don''t know if I should be waving a red flag, banging my head on my desk, or just sitting here crying.

Has anyone from Avast! been able to make a determination as to whether this is actually "A Big Security Hole" or not?

♥ Wendy
Title: Re: WHY the Security Hole in AVAST?
Post by: martosurf on June 15, 2006, 07:27:00 AM
What!? Excuse my sincerity, but you asked.

The security hole in giving full control to everyone  to Avast folders can be exploited by malicious users with no privileges at all to remove files or replace them with malwares, escalation of privileges and so on.

If the info posted by Wendy is true, the bizarre could be how easily this issue passed by two Avast evangelists without apparent fireing the red alert in the comunity.

Can you give some concrete examples to help me figure it better, please??
Title: Re: WHY the Security Hole in AVAST?
Post by: Lisandro on June 15, 2006, 03:59:35 PM
Has anyone from Avast! been able to make a determination as to whether this is actually "A Big Security Hole" or not?
Shortly, there isn't  8)
Title: Re: WHY the Security Hole in AVAST?
Post by: DavidR on June 15, 2006, 05:03:13 PM
Is or isn't this to do with the escalation of privileges vulnerability where this was previously possible (effecting several AVs including avast), however, recent program update have or were supposed to correct this issue. So much so that some users couldn't view the avast4 folder (they didn't even have read permission) corrected by another program update.

Currently I believe it is only read permissions to all in the Data folder so this begs the question are you using the latest version of avast (current version 4.7.844).
Title: Re: WHY the Security Hole in AVAST?
Post by: Erroneus on June 16, 2006, 12:01:22 AM
Using v844 and everyone has full access here and yes it's a problem  :-X

If running on a PC with a single admin user, well then no problem, but if running on a pc, lets say eg. in a company or on a school where the user has restricted permissions on the computer, it's a huge security hole.

Please look into this "avast".
Title: Re: WHY the Security Hole in AVAST?
Post by: kubecj on June 16, 2006, 10:36:37 AM
Still not getting what's the problem.

Avast sets whole directory as read-only. Except for data folder. What's the problem with that again?
Title: Re: WHY the Security Hole in AVAST?
Post by: Negeltu on June 16, 2006, 01:53:06 PM
Still not getting what's the problem.

Avast sets whole directory as read-only. Except for data folder. What's the problem with that again?

I don't really see the problem either.   :-\
Title: Re: WHY the Security Hole in AVAST?
Post by: Dwarden on June 16, 2006, 03:40:23 PM
only what can be done this way is someone from this "Everyone" group to read,modify or damage Avast! Data folder files ... in that case he can maximally read logs or cause Avast! to not operate correctly ...

there are no executables nor loaded libs so infection with trojans not come to place ...

YET another problem could be ability of "Everyone"  to place file there and then execute (full control right)
- but that would mean anywhere in filesystem on actual PC is "Everyone" set to READ ONLY right... ie schools like someone mentioned
in such case Avast! DATA folder rights could turn into 'issue`

possible solution for future, while installing / updating avast! there should be dialog asking about directory access rights allowing to choose Everyone or Custom ... or st like that ...

i'm i missing something  :P
Title: Re: WHY the Security Hole in AVAST?
Post by: Vlk on June 16, 2006, 04:13:20 PM
Please also note that this is only a "feature" of avast Home/Pro.
Network Editions of avast have all folders locked down (including DATA or the logs) - because it must be tamper-proof. That is, resulat users should not be, in any way, able to influence avast's operation.


Cheers
Vlk
Title: Re: WHY the Security Hole in AVAST?
Post by: Lisandro on June 16, 2006, 05:40:44 PM
But that would mean anywhere in filesystem on actual PC is "Everyone" set to READ ONLY right... ie schools like someone mentioned in such case Avast! DATA folder rights could turn into 'issue`
Two points:
1. Why aren't the common users allowed only to read and execute files into the avast folders? (like, for instance, MS Office folder under Program files)
2. At schools, most probably, they're not allowed to be using avast! Home version  :-[
Title: Re: WHY the Security Hole in AVAST?
Post by: darkultra on June 17, 2006, 01:53:47 AM
It is a sign of bad software design.

I think Windows Vista is much more strict about this and most Unix and Linux programmers would giggle, but they are used to a better user privilige culture.

Lately Windows have gotten seperate folders for Programs and their settings and user data.

C:\Program Files\
C:\Documents and Settings\%username%\Application Data\

Would it be much work to rewrite Avast4 Home/Pro to use this directory for settings instead?

I myself prefer programs that keep settings in their own dir and does not touch the registry and doesn't have to be reinstalled if I have to reinstall Windows. Saves a lot of time.
http://jooh.no/programs_on_d.html
Title: Re: WHY the Security Hole in AVAST?
Post by: avvidro on June 18, 2006, 02:35:35 PM
The security focused site Secunia (wich is one of the most active sites in identifying Microsoft Internet Explorer flaws) has more details about this issue.

http://secunia.com/advisories/19284/
Title: Re: WHY the Security Hole in AVAST?
Post by: Lisandro on June 18, 2006, 04:46:54 PM
The security focused site Secunia (wich is one of the most active sites in identifying Microsoft Internet Explorer flaws) has more details about this issue.
http://secunia.com/advisories/19284/
Thanks for posting...
Indeed, it's not a good advertisement to avast  :'( :-\
Title: Re: WHY the Security Hole in AVAST?
Post by: DavidR on June 18, 2006, 04:52:29 PM
However, this vulnerability has been patched as was mentioned in the link to the forums in the advisory and as I mentioned previously avast wasn't the only AV or program to be effected by this vulnerability.
Title: Re: WHY the Security Hole in AVAST?
Post by: Lisandro on June 18, 2006, 05:10:56 PM
However, this vulnerability has been patched as was mentioned in the link to the forums in the advisory
Where? In the last 4.7 version?

and as I mentioned previously avast wasn't the only AV or program to be effected by this vulnerability.
This is not an excuse to avast...
I think AVG and ClamWin user Documents & Settings folder to store user files. Firefox does the same to store the profiles.
It won't be bad if avast could support profiles. This seems only to be possible at ADNM version  :P
Title: Re: WHY the Security Hole in AVAST?
Post by: avvidro on June 18, 2006, 05:33:49 PM
However, this vulnerability has been patched as was mentioned in the link to the forums in the advisory and as I mentioned previously avast wasn't the only AV or program to be effected by this vulnerability.
As mentioned at this link ( http://secunia.com/product/5162/ ) this issue keeps unpatched.
Title: Re: WHY the Security Hole in AVAST?
Post by: DavidR on June 18, 2006, 06:29:13 PM
Which is just pointing back to the advisory that you previously posted (categorised as Less Critical), which I have to take Igor's word that it will now have been patched (as there have been program updates since that time 3 months ago) and also on the forum link given http://forum.avast.com/index.php?topic=19862.0.

There is also a work around solution given by toadlife, after Igor's post so people could do something prior to the next program update.