Author Topic: [Avast 2015] SafeZone browser based on obsolete version of Chrome  (Read 6505 times)

0 Members and 1 Guest are viewing this topic.

Offline BoerenkoolMetWorst

  • Newbie
  • *
  • Posts: 3
Just like Avast 2014, the SafeZone browser is still based on Chrome 28.0.1500.71, which was released on July 2013. Tons of critical vulnerabilities have been fixed since then and SafeZone's browser does not support TLS 1.2. Please update the SafeZone browser to the latest version of Chrome.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82724
  • No support PMs thanks
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #1 on: August 21, 2014, 09:03:56 PM »
The safe zone browser isn't Chrome - It isn't based on Chrome, but a custom version of Chromium, which Chrome is based.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.561) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline BoerenkoolMetWorst

  • Newbie
  • *
  • Posts: 3
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #2 on: August 23, 2014, 08:57:21 PM »
Oh whoops, I thought it was Chromium, but I wasn't sure and when I searched for it I read it was Chrome.
Anyway, that does not change the fact that it has lots of vulnerabilities and doesn't support TLS 1.2.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82724
  • No support PMs thanks
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #3 on: August 23, 2014, 09:04:12 PM »
Well we don't know what they may be as we don't know what the customisations are - not to mention the safezome browser is completely isolated from the regular desktop.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.561) UI-1.0.502/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31352
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #4 on: August 23, 2014, 10:22:15 PM »
Quote
Anyway, that does not change the fact that it has lots of vulnerabilities and doesn't support TLS 1.2.
Proove that it has vulnerabilities and submit them to avast so they can improve things.

Offline BoerenkoolMetWorst

  • Newbie
  • *
  • Posts: 3
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #5 on: August 24, 2014, 09:30:45 AM »
Well we don't know what they may be as we don't know what the customisations are - not to mention the safezome browser is completely isolated from the regular desktop.
Since it is based on Chromium, there is a high probability that is is still affected by most of the vulnerabilities.
And as I understand it, SafeZone is isolated in a way so that malware on the regular desktop cannot touch SafeZone, not the other way around. Even if the case it would still be safer to fix them.

Quote
Anyway, that does not change the fact that it has lots of vulnerabilities and doesn't support TLS 1.2.
Proove that it has vulnerabilities and submit them to avast so they can improve things.
These are all publicly known and fixed vulnerabilities in Chromium, why should I have to prove anything?
Want a list?:

[257748] Medium CVE-2013-2881: Origin bypass in frame handling. Credit to Karthik Bhargavan.
[260106] High CVE-2013-2882: Type confusion in V8. Credit to Cloudfuzzer.
[260165] High CVE-2013-2883: Use-after-free in MutationObserver. Credit to Cloudfuzzer.
[248950] High CVE-2013-2884: Use-after-free in DOM. Credit to Ivan Fratric of Google Security Team.
[249640] [257353] High CVE-2013-2885: Use-after-free in input handling. Credit to Ivan Fratric of Google Security Team.
[261701] High CVE-2013-2886: Various fixes from internal audits, fuzzing and other initiatives.
[181617] High CVE-2013-2900: Incomplete path sanitization in file handling. Credit to Krystian Bigaj.
[254159] Low CVE-2013-2905: Information leak via overly broad permissions on shared memory files. Credit to Christian Jaeger.
[257363] High CVE-2013-2901: Integer overflow in ANGLE. Credit to Alex Chapman.
[260105] High CVE-2013-2902: Use after free in XSLT. Credit to cloudfuzzer.
[260156] High CVE-2013-2903: Use after free in media element. Credit to cloudfuzzer.
[260428] High CVE-2013-2904: Use after free in document parsing. Credit to cloudfuzzer.
[274602] CVE-2013-2887: Various fixes from internal audits, fuzzing and other initiatives (Chrome 29).
[223962][270758][271161][284785][284786] Medium CVE-2013-2906: Races in Web Audio. Credit to Atte Kettunen of OUSPG.
[260667] Medium CVE-2013-2907: Out of bounds read in Window.prototype object. Credit to Boris Zbarsky.
[265221] Medium CVE-2013-2908: Address bar spoofing related to the “204 No Content” status code. Credit to Chamal de Silva.
[265838][279277] High CVE-2013-2909: Use after free in inline-block rendering. Credit to Atte Kettunen of OUSPG.
[269753] Medium CVE-2013-2910: Use-after-free in Web Audio. Credit to Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
[271939] High CVE-2013-2911: Use-after-free in XSLT. Credit to Atte Kettunen of OUSPG.
[276368] High CVE-2013-2912: Use-after-free in PPAPI. Credit to Chamal de Silva and 41.w4r10r(at)garage4hackers.com.
[278908] High CVE-2013-2913: Use-after-free in XML document parsing. Credit to cloudfuzzer.
[279263] High CVE-2013-2914: Use after free in the Windows color chooser dialog. Credit to Khalil Zhani.
[280512] Low CVE-2013-2915: Address bar spoofing via a malformed scheme. Credit to Wander Groeneveld.
[281256] High CVE-2013-2916: Address bar spoofing related to the “204 No Content” status code. Credit to Masato Kinugawa.
[281480] Medium CVE-2013-2917: Out of bounds read in Web Audio. Credit to Byoungyoung Lee and Tielei Wang of Georgia Tech Information Security Center (GTISC).
[282088] High CVE-2013-2918: Use-after-free in DOM. Credit to Byoungyoung Lee of Georgia Tech Information Security Center (GTISC).
[282736] High CVE-2013-2919: Memory corruption in V8. Credit to Adam Haile of Concrete Data.
[285742] Medium CVE-2013-2920: Out of bounds read in URL parsing. Credit to Atte Kettunen of OUSPG.
[286414] High CVE-2013-2921: Use-after-free in resource loader. Credit to Byoungyoung Lee and Tielei Wang of Georgia Tech Information Security Center (GTISC).
[286975] High CVE-2013-2922: Use-after-free in template element. Credit to Jon Butler.
[299016] CVE-2013-2923: Various fixes from internal audits, fuzzing and other initiatives (Chrome 30).
[275803] Medium CVE-2013-2924: Use-after-free in ICU. Upstream bug here.
[292422] High CVE-2013-2925: Use after free in XHR. Credit to Atte Kettunen of OUSPG.
[294456] High CVE-2013-2926: Use after free in editing. Credit to cloudfuzzer.
[297478] High CVE-2013-2927: Use after free in forms. Credit to cloudfuzzer.
[305790] CVE-2013-2928: Various fixes from internal audits, fuzzing and other initiatives.
[268565] Medium CVE-2013-6621: Use after free related to speech input elements. Credit to Khalil Zhani.
[272786] High CVE-2013-6622: Use after free related to media elements. Credit to cloudfuzzer.
[282925] High CVE-2013-6623: Out of bounds read in SVG. Credit to miaubiz.
[290566] High CVE-2013-6624: Use after free related to “id” attribute strings. Credit to Jon Butler.
[295010] High CVE-2013-6625: Use after free in DOM ranges. Credit to cloudfuzzer.
[295695] Low CVE-2013-6626: Address bar spoofing related to interstitial warnings. Credit to Chamal de Silva.
[299892] High CVE-2013-6627: Out of bounds read in HTTP parsing. Credit to skylined.
[306959] Medium CVE-2013-6628: Issue with certificates not being checked during TLS renegotiation. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco of INRIA Paris.
[315823] Medium-Critical CVE-2013-2931: Various fixes from internal audits, fuzzing and other initiatives.
[258723] Medium CVE-2013-6629: Read of uninitialized memory in libjpeg and libjpeg-turbo. Credit to Michal Zalewski of Google.
[299835] Medium CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo. Credit to Michal Zalewski of Google.
[296804] High CVE-2013-6631: Use after free in libjingle. Credit to Patrik Höglund of the Chromium project.
[319117] [319125] Critical CVE-2013-6632: Multiple memory corruption issues. Credit to Pinkie Pie.
[307159] Medium CVE-2013-6634: Session fixation in sync related to 302 redirects. Credit to Andrey Labunets.
[314469] High CVE-2013-6635: Use-after-free in editing. Credit to cloudfuzzer.
[322959] Medium CVE-2013-6636: Address bar spoofing related to modal dialogs. Credit to Bas Venis.
[325501] CVE-2013-6637: Various fixes from internal audits, fuzzing and other initiatives.
[319722] Medium CVE-2013-6638: Buffer overflow in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
[319835] High CVE-2013-6639: Out of bounds write in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
[319860] Medium CVE-2013-6640: Out of bounds read in v8. This issue was fixed in v8 version 3.22.24.7. Credit to Jakob Kummerow of the Chromium project.
[249502] High CVE-2013-6646: Use-after-free in web workers. Credit to Collin Payne.
[326854] High CVE-2013-6641: Use-after-free related to forms. Credit to Atte Kettunen of OUSPG.
[324969] High CVE-2013-6642: Address bar spoofing in Chrome for Android. Credit to lpilorz.
[321940] High CVE-2013-6643: Unprompted sync with an attacker’s Google account. Credit to Joao Lucas Melo Brasio.
[318791] Medium CVE-2013-6645 Use-after-free related to speech input elements. Credit to Khalil Zhani.
[333036] CVE-2013-6644: Various fixes from internal audits, fuzzing and other initiatives.
[321940] High CVE-2013-6643: Unprompted sync with an attacker’s Google account. Credit to Joao Lucas Melo Brasio.
[330420] High CVE-2013-6649: Use-after-free in SVG images. Credit to Atte Kettunen of OUSPG.
[331444] High CVE-2013-6650: Memory corruption in V8. This issue was fixed in v8 version 3.22.24.16. Credit to Christian Holler.
[334897] High CVE-2013-6652: Issue with relative paths in Windows sandbox named pipe policy. Credit to tyranid.
[331790] High CVE-2013-6653: Use-after-free related to web contents. Credit to Khalil Zhani.
[333176] High CVE-2013-6654: Bad cast in SVG. Credit to TheShow3511.
[293534] High CVE-2013-6655: Use-after-free in layout. Credit to cloudfuzzer.
[331725] High CVE-2013-6656: Information leak in XSS auditor. Credit to NeexEmil.
[331060] Medium CVE-2013-6657: Information leak in XSS auditor. Credit to NeexEmil.
[322891] Medium CVE-2013-6658: Use-after-free in layout. Credit to cloudfuzzer.
[306959] Medium CVE-2013-6659: Issue with certificates validation in TLS handshake. Credit to Antoine Delignat-Lavaud and Karthikeyan Bhargavan from Prosecco, Inria Paris.
[332579] Low CVE-2013-6660: Information leak in drag and drop. Credit to bishopjeffreys.
[344876] Low-High CVE-2013-6661: Various fixes from internal audits, fuzzing and other initiatives. Of these, seven are fixes for issues that could have allowed for sandbox escapes from compromised renderers.
[344492] High CVE-2013-6663: Use-after-free in svg images. Credit to Atte Kettunen of OUSPG.
[326854] High CVE-2013-6664: Use-after-free in speech recognition. Credit to Khalil Zhani.
[337882] High CVE-2013-6665: Heap buffer overflow in software rendering. Credit to cloudfuzzer.
[332023] Medium CVE-2013-6666: Chrome allows requests in flash header request. Credit to netfuzzerr.
[348175] CVE-2013-6667: Various fixes from internal audits, fuzzing and other initiatives.
[343964, 344186, 347909] CVE-2013-6668: Multiple vulnerabilities in V8 fixed in version 3.24.35.10.
[344881] High CVE-2014-1700: Use-after-free in speech. Credit to Chamal de Silva.
[342618] High CVE-2014-1701: UXSS in events. Credit to aidanhs.
[333058] High CVE-2014-1702: Use-after-free in web database. Credit to Collin Payne.
[338354] High CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets.
[328202, 349079, 345715] CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18.
[352369] Code execution outside sandbox. Credit to VUPEN.
[352374] High CVE-2014-1713: Use-after-free in Blink bindings
[352395] High CVE-2014-1714: Windows clipboard vulnerability
[352420] Code execution outside sandbox. Credit to Anonymous.
[351787] High CVE-2014-1705: Memory corruption in V8
[352429] High CVE-2014-1715: Directory traversal issue
[354123] High CVE-2014-1716: UXSS in V8. Credit to Anonymous.
[353004] High CVE-2014-1717: OOB access in V8. Credit to Anonymous.
[348332] High CVE-2014-1718: Integer overflow in compositor. Credit to Aaron Staple.
[343661] High CVE-2014-1719: Use-after-free in web workers. Credit to Collin Payne.
[356095] High CVE-2014-1720: Use-after-free in DOM. Credit to cloudfuzzer.
[350434] High CVE-2014-1721: Memory corruption in V8. Credit to Christian Holler.
[330626] High CVE-2014-1722: Use-after-free in rendering. Credit to miaubiz.
[337746] High CVE-2014-1723: Url confusion with RTL characters. Credit to George McBay.
[327295] High CVE-2014-1724: Use-after-free in speech. Credit to Atte Kettunen of OUSPG.
[357332] Medium CVE-2014-1725: OOB read with window property. Credit to Anonymous
[346135] Medium CVE-2014-1726: Local cross-origin bypass. Credit to Jann Horn.
[342735] Medium CVE-2014-1727: Use-after-free in forms. Credit to Khalil Zhani.
[360298] CVE-2014-1728: Various fixes from internal audits, fuzzing and other initiatives.
[345820, 347262, 348319, 350863, 352982, 355586, 358059] CVE-2014-1729: Multiple vulnerabilities in V8 fixed in version 3.24.35.22.
[354967] High CVE-2014-1730: Type confusion in V8. Credit to Anonymous.
[349903] High CVE-2014-1731: Type confusion in DOM. Credit to John Butler.
[359802] High CVE-2014-1736: Integer overflow in V8.  Credit to SkyLined working with HP's Zero Day Initiative
[352851] Medium CVE-2014-1732: Use-after-free in Speech Recognition. Credit to Khalil Zhani
[351103] Medium CVE-2014-1733: Compiler bug in Seccomp-BPF. Credit to Jed Davis
[367314] CVE-2014-1734: Various fixes from internal audits, fuzzing and other initiatives.
[359130, 359525, 360429] CVE-2014-1735: Multiple vulnerabilities in V8 fixed in version 3.24.35.33.
[356653] High CVE-2014-1743: Use-after-free in styles. Credit to cloudfuzzer.
[359454] High CVE-2014-1744: Integer overflow in audio. Credit to Aaron Staple.
[346192] High CVE-2014-1745: Use-after-free in SVG. Credit to Atte Kettunen of OUSPG.
[364065] Medium CVE-2014-1746: Out-of-bounds read in media filters. Credit to Holger Fuhrmannek.
[330663] Medium CVE-2014-1747: UXSS with local MHTML file. Credit to packagesu.
[331168] Medium CVE-2014-1748: UI spoofing with scrollbar. Credit to Jordan Milne.
[374649] CVE-2014-1749: Various fixes from internal audits, fuzzing and other initiatives.
[358057] CVE-2014-3152: Integer underflow in V8 fixed in version 3.25.28.16.
[369525] High CVE-2014-3154: Use-after-free in filesystem api. Credit to Collin Payne.
[369539] High CVE-2014-3155: Out-of-bounds read in SPDY. Credit to James March, Daniel Sommermann and Alan Frindell of Facebook.
[369621] Medium CVE-2014-3156: Buffer overflow in clipboard. Credit to Atte Kettunen of OUSPG.
[368980] CVE-2014-3157: Heap overflow in media.
[380885] Medium CVE-2014-3160: Same-Origin-Policy bypass in SVG. Credit to Christian Schneider.
[393765] CVE-2014-3162: Various fixes from internal audits, fuzzing and other initiatives.
[390174] High CVE-2014-3165: Use-after-free in web sockets. Credit to Collin Payne.
[398925] High CVE-2014-3166: Information disclosure in SPDY. Credit to Antoine Delignat-Lavaud.
[400950] CVE-2014-3167: Various fixes from internal audits, fuzzing and other initiatives.

And this list isn't even complete.



Offline irongod

  • Full Member
  • ***
  • Posts: 111
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #6 on: August 24, 2014, 12:36:47 PM »
Probably as Beta 1 it doesn't include all the features or the release... they want to test the AV/FW engine! Other stuff as the UI and add-ons (SW updater, SafeZone, Sandbox) might be integrated later on with no problems! Especially I think that update the Chromium version does not take huge resources  :P

If I am correct the team already promised that from Beta 2 we will see more of v2015 features, rather than a v2014 with changes under the hood!
You take the tarot cards and throw them to the wind!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31352
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #7 on: August 24, 2014, 03:11:12 PM »
You posted vulnerabilities in Chromium.
The SafeZone browser is based on Chromium, but that doesn't mean it has those vulnerabilities.
avast has build it's own version and may have patched them.

What I mean is like this:
A certain brand/model car has a problem with the breaks.
I replace the brakes with brand/type that doesn't have the problems.
Sure, the original car has problems, but mine hasn't although it is based on the original car.

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11665
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #8 on: August 24, 2014, 09:42:11 PM »
No worries, this will be fixed before the product goes officially live.
If at first you don't succeed, then skydiving's not for you.

Offline BoerenkoolMetWorst

  • Newbie
  • *
  • Posts: 3
Re: [Avast 2015] SafeZone browser based on obsolete version of Chrome
« Reply #9 on: August 25, 2014, 03:32:34 PM »
You posted vulnerabilities in Chromium.
The SafeZone browser is based on Chromium, but that doesn't mean it has those vulnerabilities.
avast has build it's own version and may have patched them.

What I mean is like this:
A certain brand/model car has a problem with the breaks.
I replace the brakes with brand/type that doesn't have the problems.
Sure, the original car has problems, but mine hasn't although it is based on the original car.
I'm not saying it has all of them, but at least a part of them, very likely a large part.
Going to your analogy, it's not just the brakes that has a problem, but there are multiple problems with the engine, gearbox, ignition, airfilter and suspension as well.

No worries, this will be fixed before the product goes officially live.

Thanks, good to hear :)