WHY the Security Hole in AVAST?

[willfarnaby]

Why on earth does C:\Program Files\Alwil Software\Avast4\DATA and its contents grant Full Control security permission to Everyone ?!

Is their some obscure reason for this bizarre insecurity?

[Vlk]

Could you please elaborate a bit more why you think this is a "security hole" (or even "bizarre insecurity")?

Thanks
Vlk

[willfarnaby]

Bizarre in the sense that, AFAIK, it shouldn't be necessary. For example, I've installed many, many applications (consumer, for development, etc.) and can't recall, at the moment, any others even involving the Everyone role, let alone granting it a full set of permissions.

So, what is the rationale for the .../DATA directory's security assignments?
Can I remove Everyone?
Does a member of the User group need write permission?
If so, why isn't each user's user.dir / isolated storage used instead of opening up the location under Program Files?

[Lisandro]

Some antivirus (like ClamWin or AVG) use the Documents & Settings folder (personal profile) to store files that need to be written by common users (I suppose).

[wendy k. walker]

OK, so did anyone ever figure out if that is actually a big security hole, or if it is anywhere near being a bizarre insecurity?

♥ Wendy

[avvidro]

What!? Excuse my sincerity, but you asked.

The security hole in giving full control to everyone  to Avast folders can be exploited by malicious users with no privileges at all to remove files or replace them with malwares, escalation of privileges and so on.

If the info posted by Wendy is true, the bizarre could be how easily this issue passed by two Avast evangelists without apparent fireing the red alert in the comunity.

[RejZoR]

Like it matters? I mean we all run in Admin mode? What difference does it make?

[kubecj]

avvidro: What escalation of privileges in DATA folder? What malware replacements in DATA folder? Etc...

[wendy k. walker]

OK so now I don''t know if I should be waving a red flag, banging my head on my desk, or just sitting here crying.

Has anyone from Avast! been able to make a determination as to whether this is actually "A Big Security Hole" or not?

♥ Wendy

[martosurf]

What!? Excuse my sincerity, but you asked.

The security hole in giving full control to everyone  to Avast folders can be exploited by malicious users with no privileges at all to remove files or replace them with malwares, escalation of privileges and so on.

If the info posted by Wendy is true, the bizarre could be how easily this issue passed by two Avast evangelists without apparent fireing the red alert in the comunity.

Can you give some concrete examples to help me figure it better, please??

[Lisandro]

Has anyone from Avast! been able to make a determination as to whether this is actually "A Big Security Hole" or not?

Shortly, there isn't 

[DavidR]

Is or isn't this to do with the escalation of privileges vulnerability where this was previously possible (effecting several AVs including avast), however, recent program update have or were supposed to correct this issue. So much so that some users couldn't view the avast4 folder (they didn't even have read permission) corrected by another program update.

Currently I believe it is only read permissions to all in the Data folder so this begs the question are you using the latest version of avast (current version 4.7.844).

[Erroneus]

Using v844 and everyone has full access here and yes it's a problem 

If running on a PC with a single admin user, well then no problem, but if running on a pc, lets say eg. in a company or on a school where the user has restricted permissions on the computer, it's a huge security hole.

Please look into this "avast".

[kubecj]

Still not getting what's the problem.

Avast sets whole directory as read-only. Except for data folder. What's the problem with that again?

[Negeltu]

Still not getting what's the problem.

Avast sets whole directory as read-only. Except for data folder. What's the problem with that again?

I don't really see the problem either.