Avast 5 requires FLASH?

[zerospam]

By all means please disregard perfectly-mainstream security commentary and impugn the messenger's motives. That will surely improve Avast's resistance to attack.

Now, please explain to us -- if you can -- how adding Flash to Avast's security perimeter improves (or, at least, doesn't reduce) its security.

[igor]

Consider that Avast must run with administrative privileges, which means, in turn, that Flash embedded within an Avast application also runs with administrative privileges [1]. Thus, an attacker probably can use an exploitable Flash bug to gain administrative privileges.

How does a bug in Flash get exploited?
Well, by rendering a special (crafted) Flash content - that turns into a real code in the corresponding process (usually your web browser). So, the attacker puts this "bad" content on a web page... and when you visit that page, your browser may get infected (through the Flash component).

Now, avast! uses Flash only to display its own (statistics) data... how would you make avast! render this special ("exploit") data? I don't think you can...


Btw, Flash is used only in avast! GUI - which does not run with administrative privileges. The main avast! service does (run with that privileges), but it uses no GUI components and no Flash.

[Hermite15]

By all means please disregard perfectly-mainstream security commentary and impugn the messenger's motives. That will surely improve Avast's resistance to attack.

Now, please explain to us -- if you can -- how adding Flash to Avast's security perimeter improves (or, at least, doesn't reduce) its security.

I think someone just answered to you, post above mine (Igor) ... you're wasting your time  ... and a bit of ours.

[hyjaxltd]

Have you seen the people the hired to program Windows 7 on TV...none of those guys no a thing about REAL computing since most of the stuff has been there for YEARS!!!  Its just been about your own ACTUAL knowledge vs what you say to fit in.

Flash is a VERY comprimisable set of instructions...regardless of where you put it.  Im willing to bet more than any of you realise.  Thats not the point.

As far as Joe User...sure Falsh is fine and dandy and he probably would swear to its security, but REAL commmunities who understand secure code and instruction sets STILL wonder why adobe isnt doing much about it...same as actually providing 64 bit flash, but thats another topic for Adobe support forums.  When Adobe and flash ARE NOT the key vunerabilities addressed in reseller conferences on security I'll buy into it.

Goggle:  Everything Reseller Channel and you can get in on these so you understand this isnt one dude claiming how the reseller community REALLY feels.  Last years was hosted by Kaspersky...and they wre pretty non-biased for themselves I must say.

As strongly as I feel about the Avast engine, I think it may be found to be compromised through its use of flash...again, simply over the under-developed code set(s).  but thats IMO.

[igor]

You're wrong, read what I wrote.

If you argued that your browser might get compromised because you have installed Flash (because of avast!)... there might be a point there. But avast! cannot be compromised through Flash because it renders only its own data through the Flash engine.

[zerospam]

Consider that Avast must run with administrative privileges, which means, in turn, that Flash embedded within an Avast application also runs with administrative privileges [1]. Thus, an attacker probably can use an exploitable Flash bug to gain administrative privileges.

How does a bug in Flash get exploited?
Well, by rendering a special (crafted) Flash content - that turns into a real code in the corresponding process (usually your web browser). So, the attacker puts this "bad" content on a web page... and when you visit that page, your browser may get infected (through the Flash component).

Now, avast! uses Flash only to display its own (statistics) data... how would you make avast! render this special ("exploit") data? I don't think you can...

The scenario is that a user browses to an infected website, which causes Flash embedded in her browser to store malware that can then be loaded into a different Flash session. If it is then loaded into a Flash session running with administrative privileges, the malware uses a bug in Flash, in combination with those privileges, to infect the machine. Also, if the embedded instance of Flash has access to the network stack, it might be able to pick up infected content directly, such as via a DNS attack on a check-for-updates feature.

Btw, Flash is used only in avast! GUI - which does not run with administrative privileges. The main avast! service does (run with that privileges), but it uses no GUI components and no Flash.

Under 4.8, the Avast GUI runs within the ashdisp.exe process, which runs under an administrative account with, among other things, the BUILTIN\Administrators group SID enabled. Also, SeImpersonatePrivilege and apparently SeLoadDriverPrivilege (!) are enabled. I don't know about 5.x, which I haven't installed. Does it disable the administrative group SIDs and/or run ashdisp in a non-admin account? What privileges does it leave enabled?

Also, even if adding Flash to Avast did not, at present, create an attack vector, it creates the potential for one. If a developer later gives a Flash-containing process an additional privilege for some reason, Flash gains the privilege as well. Similarly, if a later version of Flash adds some insecure feature (like loading code from the network without properly checking its digital signature), that code can infect the Avast GUI process, and maybe, for example, turn off a provider.

[igor]

The scenario is that a user browses to an infected website, which causes Flash embedded in her browser to store malware that can then be loaded into a different Flash session.

How exactly (does it get loaded into a different session)? Where exactly is the malware stored?

Under 4.8, the Avast GUI runs within the ashdisp.exe process, which runs under an administrative account with, among other things, the BUILTIN\Administrators group SID enabled.

OK, correction - the GUI runs under whoever is logged on, just like ashDisp.exe in avast! 4. So yes, if you log on as an administrator, it runs under your account.
However, if you're logged on as an administrator and your browser gets infected, you're screwed anyway.

Also, SeImpersonatePrivilege and apparently SeLoadDriverPrivilege (!) are enabled. I don't know about 5.x, which I haven't installed. Does it disable the administrative group SIDs and/or run ashdisp in a non-admin account? What privileges does it leave enabled?

Privileges are associated with the particular account - whether they're enabled or not is rather irrelevant (= enabling a privilege granted to your account is just a few API calls, anybody can do that).

[zerospam]

The scenario is that a user browses to an infected website, which causes Flash embedded in her browser to store malware that can then be loaded into a different Flash session.

How exactly (does it get loaded into a different session)? Where exactly is the malware stored?

Flash is able to cache downloaded data ("global storage"); see http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager03.html for your Flash player's current setting. I don't know where it caches it, or what cross-session or cross-domain controls (if any) Flash might use to restrict when such data might be used. Also, even if Flash currently has such controls, and they're bug-free, a Flash update could break them.

Basically, embedding another software package within Avast is -- for security purposes -- like inviting members of that package's development team onto Alwil's staff. Indeed, it could be worse than that, because the other development team might be able to update its product -- and thus introduce something new into Avast's security perimeter -- without even consulting Avast's team.

BTW, I don't want it to seem like I'm singling out Avast here. Very many packages have similar vulnerabilities.

Under 4.8, the Avast GUI runs within the ashdisp.exe process, which runs under an administrative account with, among other things, the BUILTIN\Administrators group SID enabled.

OK, correction - the GUI runs under whoever is logged on, just like ashDisp.exe in avast! 4. So yes, if you log on as an administrator, it runs under your account.
However, if you're logged on as an administrator and your browser gets infected, you're screwed anyway.

It's certainly true that browsing in an admin account is asking to be infected. However, just because ashdisp runs in an administrative account doesn't mean that your browser does. I, for example, always run browsers in an unprivileged account, and I often urge others to do the same.

Also, SeImpersonatePrivilege and apparently SeLoadDriverPrivilege (!) are enabled. I don't know about 5.x, which I haven't installed. Does it disable the administrative group SIDs and/or run ashdisp in a non-admin account? What privileges does it leave enabled?

Privileges are associated with the particular account - whether they're enabled or not is rather irrelevant (= enabling a privilege granted to your account is just a few API calls, anybody can do that).

It's more subtle than that. A program running under, say, "administrator" can create a token that restricts certain privileges. It can then CreateProcess a process using that token, but running under the same account, that then is not able to enable the restricted privileges. See the section on "dropmyrights" in http://technet.microsoft.com/en-us/library/bb456992.aspx for more on this technique.

In any case, if the ashdisp process has certain privileges and/or privileged SIDs in its access token, and the embedded Flash that it runs becomes compromised, the attacker can use the resulting rights to infect the system.

[igor]

It's more subtle than that. A program running under, say, "administrator" can create a token that restricts certain privileges. It can then CreateProcess a process using that token, but running under the same account, that then is not able to enable the restricted privileges. See the section on "dropmyrights" in http://technet.microsoft.com/en-us/library/bb456992.aspx for more on this technique.

In any case, if the ashdisp process has certain privileges and/or privileged SIDs in its access token, and the embedded Flash that it runs becomes compromised, the attacker can use the resulting rights to infect the system.

Sure, tokens can be restricted... I was just trying to say that ashDisp.exe is just an ordinary process running under the currently logged-on user's account (just like Explorer.exe, for example) - and if such a process gets exploited, i.e. a malicious code starts executing inside, then it doesn't really matter if the privileges are already enabled, or just silently granted - the malicious code can enable them if the account has them.

[zerospam]

It's more subtle than that. A program running under, say, "administrator" can create a token that restricts certain privileges. It can then CreateProcess a process using that token, but running under the same account, that then is not able to enable the restricted privileges. See the section on "dropmyrights" in http://technet.microsoft.com/en-us/library/bb456992.aspx for more on this technique.

In any case, if the ashdisp process has certain privileges and/or privileged SIDs in its access token, and the embedded Flash that it runs becomes compromised, the attacker can use the resulting rights to infect the system.

Sure, tokens can be restricted... I was just trying to say that ashDisp.exe is just an ordinary process running under the currently logged-on user's account (just like Explorer.exe, for example) - and if such a process gets exploited, i.e. a malicious code starts executing inside, then it doesn't really matter if the privileges are already enabled, or just silently granted - the malicious code can enable them if the account has them.

Yep, I agree.

[hyjaxltd]

...just sayin, what if the flash infection that came via the browser, infecting the flash engine itself and that carries over when Avast GUI does a call for the infected flash engine(which is the part thats insecure) to show statistics...

just sayin
note:  I use 'infection' becuase most people think 'virus' pertains to one set of malicious code not ANY but thats a whole nother debate.

Even if this show I have no REAL idea how flash operates, lets go back to the basic fact using something comprimisable (ie. no one is arguing flash is not EXTREMLY comprimisable) to acheive security (even for simple asthetics) you leave great vunerabilities left to be exploited.

Ill refer to my past for experience and proof of that happening...I do think Flash adds some smoothness that I think should be addresed another method, just wish I was smart enuf to know how.