Author Topic: WHY the Security Hole in AVAST?  (Read 8687 times)

0 Members and 1 Guest are viewing this topic.

Offline Dwarden

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1791
  • Ideas, that's ocean without borders!
    • Bohemia Interactive
Re: WHY the Security Hole in AVAST?
« Reply #15 on: June 16, 2006, 03:40:23 PM »
only what can be done this way is someone from this "Everyone" group to read,modify or damage Avast! Data folder files ... in that case he can maximally read logs or cause Avast! to not operate correctly ...

there are no executables nor loaded libs so infection with trojans not come to place ...

YET another problem could be ability of "Everyone"  to place file there and then execute (full control right)
- but that would mean anywhere in filesystem on actual PC is "Everyone" set to READ ONLY right... ie schools like someone mentioned
in such case Avast! DATA folder rights could turn into 'issue`

possible solution for future, while installing / updating avast! there should be dialog asking about directory access rights allowing to choose Everyone or Custom ... or st like that ...

i'm i missing something  :P
https://twitter.com/FoltynD , Tech. Community, Online Services & Distribution manager of Bohemia Interactive

Offline Vlk

  • Avast CEO
  • Serious Graphoman
  • *
  • Posts: 11664
  • Please don't send me IM's. Email only. Thx.
    • ALWIL Software
Re: WHY the Security Hole in AVAST?
« Reply #16 on: June 16, 2006, 04:13:20 PM »
Please also note that this is only a "feature" of avast Home/Pro.
Network Editions of avast have all folders locked down (including DATA or the logs) - because it must be tamper-proof. That is, resulat users should not be, in any way, able to influence avast's operation.


Cheers
Vlk
If at first you don't succeed, then skydiving's not for you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: WHY the Security Hole in AVAST?
« Reply #17 on: June 16, 2006, 05:40:44 PM »
But that would mean anywhere in filesystem on actual PC is "Everyone" set to READ ONLY right... ie schools like someone mentioned in such case Avast! DATA folder rights could turn into 'issue`
Two points:
1. Why aren't the common users allowed only to read and execute files into the avast folders? (like, for instance, MS Office folder under Program files)
2. At schools, most probably, they're not allowed to be using avast! Home version  :-[
The best things in life are free.

Offline darkultra

  • Newbie
  • *
  • Posts: 6
Re: WHY the Security Hole in AVAST?
« Reply #18 on: June 17, 2006, 01:53:47 AM »
It is a sign of bad software design.

I think Windows Vista is much more strict about this and most Unix and Linux programmers would giggle, but they are used to a better user privilige culture.

Lately Windows have gotten seperate folders for Programs and their settings and user data.

C:\Program Files\
C:\Documents and Settings\%username%\Application Data\

Would it be much work to rewrite Avast4 Home/Pro to use this directory for settings instead?

I myself prefer programs that keep settings in their own dir and does not touch the registry and doesn't have to be reinstalled if I have to reinstall Windows. Saves a lot of time.
http://jooh.no/programs_on_d.html

Offline avvidro

  • Jr. Member
  • **
  • Posts: 75
  • I'm not a llama!
Re: WHY the Security Hole in AVAST?
« Reply #19 on: June 18, 2006, 02:35:35 PM »
The security focused site Secunia (wich is one of the most active sites in identifying Microsoft Internet Explorer flaws) has more details about this issue.

http://secunia.com/advisories/19284/

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: WHY the Security Hole in AVAST?
« Reply #20 on: June 18, 2006, 04:46:54 PM »
The security focused site Secunia (wich is one of the most active sites in identifying Microsoft Internet Explorer flaws) has more details about this issue.
http://secunia.com/advisories/19284/
Thanks for posting...
Indeed, it's not a good advertisement to avast  :'( :-\
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85967
  • No support PMs thanks
Re: WHY the Security Hole in AVAST?
« Reply #21 on: June 18, 2006, 04:52:29 PM »
However, this vulnerability has been patched as was mentioned in the link to the forums in the advisory and as I mentioned previously avast wasn't the only AV or program to be effected by this vulnerability.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67247
Re: WHY the Security Hole in AVAST?
« Reply #22 on: June 18, 2006, 05:10:56 PM »
However, this vulnerability has been patched as was mentioned in the link to the forums in the advisory
Where? In the last 4.7 version?

and as I mentioned previously avast wasn't the only AV or program to be effected by this vulnerability.
This is not an excuse to avast...
I think AVG and ClamWin user Documents & Settings folder to store user files. Firefox does the same to store the profiles.
It won't be bad if avast could support profiles. This seems only to be possible at ADNM version  :P
The best things in life are free.

Offline avvidro

  • Jr. Member
  • **
  • Posts: 75
  • I'm not a llama!
Re: WHY the Security Hole in AVAST?
« Reply #23 on: June 18, 2006, 05:33:49 PM »
However, this vulnerability has been patched as was mentioned in the link to the forums in the advisory and as I mentioned previously avast wasn't the only AV or program to be effected by this vulnerability.
As mentioned at this link ( http://secunia.com/product/5162/ ) this issue keeps unpatched.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85967
  • No support PMs thanks
Re: WHY the Security Hole in AVAST?
« Reply #24 on: June 18, 2006, 06:29:13 PM »
Which is just pointing back to the advisory that you previously posted (categorised as Less Critical), which I have to take Igor's word that it will now have been patched (as there have been program updates since that time 3 months ago) and also on the forum link given http://forum.avast.com/index.php?topic=19862.0.

There is also a work around solution given by toadlife, after Igor's post so people could do something prior to the next program update.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security