Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: gowiththeflow on January 25, 2010, 04:18:43 PM
-
I must admit ... when I saw this, I was a little stunted.
Edit: forgot the screenshot
(http://i49.tinypic.com/2ib15om.png)
-
I must admit ... when I saw this, I was a little stunted.
have a drink ;) there will be better days ;D
-
Yep, for the statistics pages...
Why such a big deal though? Pretty much every pc has flash...
http://forum.avast.com/index.php?topic=49727.0
As I already said, avast! doesn't need it... it's just a cosmetic feature you can certaily live without.
(and I'm pretty sure you're wrong on that statement anyway - that no other programs use flags - but don't know about any examples right now)
Post: http://forum.avast.com/index.php?topic=49727.msg426324#msg426324
-Scott-
Offtop: Not really going with the flow then? ;D Sorry, I just had to :)
-
I must admit ... when I saw this, I was a little stunted.
This is already a classic question. Please try to search the forum before posting.
The short answer is no. However, if you think the graphical stats showcase is the necessity, the answer suddenly becomes yes. Flash is only required for the stats showcase and is not required for basic function.
-
Avast should definitely switch to HTML5 and OSS codec... just kidding :D
-
I dont know how many of you get to participate in things like live reseller open-forums, but I do and can verify that pretty much every time it is on security...btw, Avast! has always received high praise when ever mentioned there...Adobe Flash; and a few other apps they improperly bully into yur OS with poor, poor developed code concerning comprimisability.
That is enough to make me ask....
Just becuase everyone else seems to be calling it a good thing :-X doesnt always mean it is. Awil, lets do a package that IS NOT reliant on any other apps
Me personally, Im tired of paying with my over all security for things such as this. Thank you for addressing the ability to install OFFLINE. Even though I love Avast I would not be purchasing the IS suite and woulda just stayed with the free.
-
Offtop: Not really going with the flow then? ;D Sorry, I just had to :)
Lol it's a bare bone VM for crying out loud.
This is already a classic question. Please try to search the forum before posting.
I did - typed "flash" in the search box and pressed enter. I didn't notice anything relevant. May be you'll have better luck? http://forum.avast.com/index.php?action=search2
-
I don't quite understand the issue, flash is a requirement of many things, even security things...(secunia) so I don't think that this is an issue...and anyway, if you feel unsecure with it, then remove it...the statistics are not important to the function of avast! it is just a cosmetic thing, which it the point of flash anyway.
I found the thread I referenced by using that method, searching 'flash'...it was the 6th result, but then I suppose I kinda knew what I was looking for...
-
I don't quite understand the issue, flash is a requirement of many things, even security things...(secunia) so I don't think that this is an issue...
There wasn't an issue, but I guess I was stunted because avast chose to use only flash to display statistics, and won't even consider displaying static info when flash is not available ...
Are those eye-candies that essential to the information presentation?
-
Yes, I don't think there is another way of viewing them...i.e. it can't without flash...
-
Even with Secunia PSI, which I do use, Flash is only required to show the graph that displays the percentage of patched programs week to week. Note that Flash (ActiveX version) for IE is needed. Flash for Gecko and other browsers won't suffice.
-
Using Flash is a "big deal" because it puts Flash within Avast's security perimeter. Consider that Avast must run with administrative privileges, which means, in turn, that Flash embedded within an Avast application also runs with administrative privileges [1]. Thus, an attacker probably can use an exploitable Flash bug to gain administrative privileges.
Also, since Flash is (by default) a network-enabled application, using it within Avast increases the likelihood that a network-based attack will penetrate Flash and, by extension, Avast.
Finally, good security practice dictates minimizing the amount of privileged code.
[1] Unless Avast uses special techniques to run it in a nonprivileged context. Developers: does it?
-
still waiting from someone to report he had an infection because of the embedding of flash in Avast5 ;D
-
still waiting from someone to report he had an infection because of the embedding of flash in Avast5 ;D
It's the rare victim who knows how her system got infected. I hope that your post does not represent the attitude of the Avast development team.
-
still waiting from someone to report he had an infection because of the embedding of flash in Avast5 ;D
It's the rare victim who knows how her system got infected. I hope that your post does not represent the attitude of the Avast development team.
don't know what group of people you represent when you launch fake alarms on the potential risks with Flash in Avast ::) ...I dare you to come back here in 3 years and tell me about someone whose system got infected that way. This will be a fantastic occasion to prove your point. You think the avast team is not aware of Flash Player vulnerabilities ? and they would have taken a chance to put V5 users' systems at risk with that, are you serious?
ps: Avast5 isn't a browser 8)
-
By all means please disregard perfectly-mainstream security commentary and impugn the messenger's motives. That will surely improve Avast's resistance to attack.
Now, please explain to us -- if you can -- how adding Flash to Avast's security perimeter improves (or, at least, doesn't reduce) its security.
-
Consider that Avast must run with administrative privileges, which means, in turn, that Flash embedded within an Avast application also runs with administrative privileges [1]. Thus, an attacker probably can use an exploitable Flash bug to gain administrative privileges.
How does a bug in Flash get exploited?
Well, by rendering a special (crafted) Flash content - that turns into a real code in the corresponding process (usually your web browser). So, the attacker puts this "bad" content on a web page... and when you visit that page, your browser may get infected (through the Flash component).
Now, avast! uses Flash only to display its own (statistics) data... how would you make avast! render this special ("exploit") data? I don't think you can...
Btw, Flash is used only in avast! GUI - which does not run with administrative privileges. The main avast! service does (run with that privileges), but it uses no GUI components and no Flash.
-
By all means please disregard perfectly-mainstream security commentary and impugn the messenger's motives. That will surely improve Avast's resistance to attack.
Now, please explain to us -- if you can -- how adding Flash to Avast's security perimeter improves (or, at least, doesn't reduce) its security.
I think someone just answered to you, post above mine (Igor) ... you're wasting your time ::) ... and a bit of ours.
-
Have you seen the people the hired to program Windows 7 on TV...none of those guys no a thing about REAL computing since most of the stuff has been there for YEARS!!! Its just been about your own ACTUAL knowledge vs what you say to fit in.
Flash is a VERY comprimisable set of instructions...regardless of where you put it. Im willing to bet more than any of you realise. Thats not the point.
As far as Joe User...sure Falsh is fine and dandy and he probably would swear to its security, but REAL commmunities who understand secure code and instruction sets STILL wonder why adobe isnt doing much about it...same as actually providing 64 bit flash, but thats another topic for Adobe support forums. When Adobe and flash ARE NOT the key vunerabilities addressed in reseller conferences on security I'll buy into it.
Goggle: Everything Reseller Channel and you can get in on these so you understand this isnt one dude claiming how the reseller community REALLY feels. Last years was hosted by Kaspersky...and they wre pretty non-biased for themselves I must say.
As strongly as I feel about the Avast engine, I think it may be found to be compromised through its use of flash...again, simply over the under-developed code set(s). but thats IMO.
-
You're wrong, read what I wrote.
If you argued that your browser might get compromised because you have installed Flash (because of avast!)... there might be a point there. But avast! cannot be compromised through Flash because it renders only its own data through the Flash engine.
-
Consider that Avast must run with administrative privileges, which means, in turn, that Flash embedded within an Avast application also runs with administrative privileges [1]. Thus, an attacker probably can use an exploitable Flash bug to gain administrative privileges.
How does a bug in Flash get exploited?
Well, by rendering a special (crafted) Flash content - that turns into a real code in the corresponding process (usually your web browser). So, the attacker puts this "bad" content on a web page... and when you visit that page, your browser may get infected (through the Flash component).
Now, avast! uses Flash only to display its own (statistics) data... how would you make avast! render this special ("exploit") data? I don't think you can...
The scenario is that a user browses to an infected website, which causes Flash embedded in her browser to store malware that can then be loaded into a different Flash session. If it is then loaded into a Flash session running with administrative privileges, the malware uses a bug in Flash, in combination with those privileges, to infect the machine. Also, if the embedded instance of Flash has access to the network stack, it might be able to pick up infected content directly, such as via a DNS attack on a check-for-updates feature.
Btw, Flash is used only in avast! GUI - which does not run with administrative privileges. The main avast! service does (run with that privileges), but it uses no GUI components and no Flash.
Under 4.8, the Avast GUI runs within the ashdisp.exe process, which runs under an administrative account with, among other things, the BUILTIN\Administrators group SID enabled. Also, SeImpersonatePrivilege and apparently SeLoadDriverPrivilege (!) are enabled. I don't know about 5.x, which I haven't installed. Does it disable the administrative group SIDs and/or run ashdisp in a non-admin account? What privileges does it leave enabled?
Also, even if adding Flash to Avast did not, at present, create an attack vector, it creates the potential for one. If a developer later gives a Flash-containing process an additional privilege for some reason, Flash gains the privilege as well. Similarly, if a later version of Flash adds some insecure feature (like loading code from the network without properly checking its digital signature), that code can infect the Avast GUI process, and maybe, for example, turn off a provider.
-
The scenario is that a user browses to an infected website, which causes Flash embedded in her browser to store malware that can then be loaded into a different Flash session.
How exactly (does it get loaded into a different session)? Where exactly is the malware stored?
Under 4.8, the Avast GUI runs within the ashdisp.exe process, which runs under an administrative account with, among other things, the BUILTIN\Administrators group SID enabled.
OK, correction - the GUI runs under whoever is logged on, just like ashDisp.exe in avast! 4. So yes, if you log on as an administrator, it runs under your account.
However, if you're logged on as an administrator and your browser gets infected, you're screwed anyway.
Also, SeImpersonatePrivilege and apparently SeLoadDriverPrivilege (!) are enabled. I don't know about 5.x, which I haven't installed. Does it disable the administrative group SIDs and/or run ashdisp in a non-admin account? What privileges does it leave enabled?
Privileges are associated with the particular account - whether they're enabled or not is rather irrelevant (= enabling a privilege granted to your account is just a few API calls, anybody can do that).
-
The scenario is that a user browses to an infected website, which causes Flash embedded in her browser to store malware that can then be loaded into a different Flash session.
How exactly (does it get loaded into a different session)? Where exactly is the malware stored?
Flash is able to cache downloaded data ("global storage"); see http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html for your Flash player's current setting. I don't know where it caches it, or what cross-session or cross-domain controls (if any) Flash might use to restrict when such data might be used. Also, even if Flash currently has such controls, and they're bug-free, a Flash update could break them.
Basically, embedding another software package within Avast is -- for security purposes -- like inviting members of that package's development team onto Alwil's staff. Indeed, it could be worse than that, because the other development team might be able to update its product -- and thus introduce something new into Avast's security perimeter -- without even consulting Avast's team.
BTW, I don't want it to seem like I'm singling out Avast here. Very many packages have similar vulnerabilities.
Under 4.8, the Avast GUI runs within the ashdisp.exe process, which runs under an administrative account with, among other things, the BUILTIN\Administrators group SID enabled.
OK, correction - the GUI runs under whoever is logged on, just like ashDisp.exe in avast! 4. So yes, if you log on as an administrator, it runs under your account.
However, if you're logged on as an administrator and your browser gets infected, you're screwed anyway.
It's certainly true that browsing in an admin account is asking to be infected. However, just because ashdisp runs in an administrative account doesn't mean that your browser does. I, for example, always run browsers in an unprivileged account, and I often urge others to do the same.
Also, SeImpersonatePrivilege and apparently SeLoadDriverPrivilege (!) are enabled. I don't know about 5.x, which I haven't installed. Does it disable the administrative group SIDs and/or run ashdisp in a non-admin account? What privileges does it leave enabled?
Privileges are associated with the particular account - whether they're enabled or not is rather irrelevant (= enabling a privilege granted to your account is just a few API calls, anybody can do that).
It's more subtle than that. A program running under, say, "administrator" can create a token that restricts certain privileges. It can then CreateProcess a process using that token, but running under the same account, that then is not able to enable the restricted privileges. See the section on "dropmyrights" in http://technet.microsoft.com/en-us/library/bb456992.aspx for more on this technique.
In any case, if the ashdisp process has certain privileges and/or privileged SIDs in its access token, and the embedded Flash that it runs becomes compromised, the attacker can use the resulting rights to infect the system.
-
It's more subtle than that. A program running under, say, "administrator" can create a token that restricts certain privileges. It can then CreateProcess a process using that token, but running under the same account, that then is not able to enable the restricted privileges. See the section on "dropmyrights" in http://technet.microsoft.com/en-us/library/bb456992.aspx for more on this technique.
In any case, if the ashdisp process has certain privileges and/or privileged SIDs in its access token, and the embedded Flash that it runs becomes compromised, the attacker can use the resulting rights to infect the system.
Sure, tokens can be restricted... I was just trying to say that ashDisp.exe is just an ordinary process running under the currently logged-on user's account (just like Explorer.exe, for example) - and if such a process gets exploited, i.e. a malicious code starts executing inside, then it doesn't really matter if the privileges are already enabled, or just silently granted - the malicious code can enable them if the account has them.
-
It's more subtle than that. A program running under, say, "administrator" can create a token that restricts certain privileges. It can then CreateProcess a process using that token, but running under the same account, that then is not able to enable the restricted privileges. See the section on "dropmyrights" in http://technet.microsoft.com/en-us/library/bb456992.aspx for more on this technique.
In any case, if the ashdisp process has certain privileges and/or privileged SIDs in its access token, and the embedded Flash that it runs becomes compromised, the attacker can use the resulting rights to infect the system.
Sure, tokens can be restricted... I was just trying to say that ashDisp.exe is just an ordinary process running under the currently logged-on user's account (just like Explorer.exe, for example) - and if such a process gets exploited, i.e. a malicious code starts executing inside, then it doesn't really matter if the privileges are already enabled, or just silently granted - the malicious code can enable them if the account has them.
Yep, I agree.
-
...just sayin, what if the flash infection that came via the browser, infecting the flash engine itself and that carries over when Avast GUI does a call for the infected flash engine(which is the part thats insecure) to show statistics...
just sayin ::)
note: I use 'infection' becuase most people think 'virus' pertains to one set of malicious code not ANY but thats a whole nother debate.
Even if this show I have no REAL idea how flash operates, lets go back to the basic fact using something comprimisable (ie. no one is arguing flash is not EXTREMLY comprimisable) to acheive security (even for simple asthetics) you leave great vunerabilities left to be exploited.
Ill refer to my past for experience and proof of that happening...I do think Flash adds some smoothness that I think should be addresed another method, just wish I was smart enuf to know how. ;D