Author Topic: Current javascript bug mitigation  (Read 3734 times)

0 Members and 1 Guest are viewing this topic.

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 45
Current javascript bug mitigation
« on: March 12, 2020, 09:49:40 PM »
Using Avast Free 19.8.2393 (19.8.4257.555) ~ waiting to update program after reports here of issues with 20.1; just read about the javascript vulnerability. Prefer to continue putting off program update until this is also addressed, so question: can this vulnerability be mitigated by manually disabling "script scanning" from Protection/Core Shields/Web Shield?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Current javascript bug mitigation
« Reply #1 on: March 12, 2020, 10:15:51 PM »
« Last Edit: March 12, 2020, 10:18:15 PM by Pondus »

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 45
Re: Current javascript bug mitigation
« Reply #2 on: March 12, 2020, 11:14:36 PM »
Yes. If either of those articles, which I've read, contain the answer to my question -- I missed it.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Current javascript bug mitigation
« Reply #3 on: March 13, 2020, 05:28:00 AM »
Dev-Info: To protect our hundreds of millions of users, we disabled the emulator. The disablement of the emulator won't affect the functionality of our AV product, which is based on multiple security layers.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Current javascript bug mitigation
« Reply #4 on: March 13, 2020, 06:02:20 AM »
L.S.

Google Project Zero compliancy coming into the bargain maybe? Tab bug playing into the matter?
Javascript was invented by Brendan Eich in ten days. Sorry that it cannot be made secure in 100 days  ;)
Javascript exact runtime often is a good indicator as is really pentesting for sinks and sources.  ;D

polonus (volunteer 3rd party cold recon website (javascript) security analyst and website error-hunter)
« Last Edit: March 13, 2020, 06:04:14 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 45
Re: Current javascript bug mitigation
« Reply #5 on: March 13, 2020, 06:20:25 AM »
Dev-Info: To protect our hundreds of millions of users, we disabled the emulator. The disablement of the emulator won't affect the functionality of our AV product, which is based on multiple security layers.

Yes. If that sentence, which I've read, contains the answer to my question -- I missed it.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Current javascript bug mitigation
« Reply #6 on: March 13, 2020, 11:09:07 AM »
Dev-Info: To protect our hundreds of millions of users, we disabled the emulator. The disablement of the emulator won't affect the functionality of our AV product, which is based on multiple security layers.

Yes. If that sentence, which I've read, contains the answer to my question -- I missed it.

My reading of it is, if the emulator has been disabled (it won't be run), then so too would be the potential problem.  That would give time to either fix the bug or do it another way.

You were considering disabling web shield scanning as a means of mitigation, a sledge hammer to crack a nut, the disabling of the emulator, is using a smaller hammer and allowing other functions/levels of protection to also run.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 45
Re: Current javascript bug mitigation
« Reply #7 on: March 13, 2020, 04:11:47 PM »
Dev-Info: To protect our hundreds of millions of users, we disabled the emulator. The disablement of the emulator won't affect the functionality of our AV product, which is based on multiple security layers.

Yes. If that sentence, which I've read, contains the answer to my question -- I missed it.

My reading of it is, if the emulator has been disabled (it won't be run), then so too would be the potential problem.  That would give time to either fix the bug or do it another way.

You were considering disabling web shield scanning as a means of mitigation, a sledge hammer to crack a nut, the disabling of the emulator, is using a smaller hammer and allowing other functions/levels of protection to also run.

Well not necessarily -- I have no intention of "disabling web scanning" in its entirety, rather, as stated, simply disabling the "script scanning" component of it. (FWIW I use NoScript in all browsers.)

So my question remains: is the result of manually un-checking "enable script scanning" the same as the update's "disabling the emulator" - ? Or is "the emulator" a more complex function(s) which cannot be disabled by this single user setting?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11849
    • AVAST Software
Re: Current javascript bug mitigation
« Reply #8 on: March 13, 2020, 04:20:37 PM »
No, these two settings are completely unrelated.
There's no settings that would disable or enable the internal emulator.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Current javascript bug mitigation
« Reply #9 on: March 13, 2020, 06:16:49 PM »
Dev-Info: To protect our hundreds of millions of users, we disabled the emulator. The disablement of the emulator won't affect the functionality of our AV product, which is based on multiple security layers.

Yes. If that sentence, which I've read, contains the answer to my question -- I missed it.

My reading of it is, if the emulator has been disabled (it won't be run), then so too would be the potential problem.  That would give time to either fix the bug or do it another way.

You were considering disabling web shield scanning as a means of mitigation, a sledge hammer to crack a nut, the disabling of the emulator, is using a smaller hammer and allowing other functions/levels of protection to also run.

Well not necessarily -- I have no intention of "disabling web scanning" in its entirety, rather, as stated, simply disabling the "script scanning" component of it. (FWIW I use NoScript in all browsers.)

So my question remains: is the result of manually un-checking "enable script scanning" the same as the update's "disabling the emulator" - ? Or is "the emulator" a more complex function(s) which cannot be disabled by this single user setting?

Well your initial comment "can this vulnerability be mitigated by manually disabling "script scanning" from Protection/Core Shields/Web Shield?"

This was what my response was based on, which is now a moot point given Igor's post and I guess why the JavaScript emulator was disabled.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 45
Re: Current javascript bug mitigation
« Reply #10 on: March 14, 2020, 03:02:57 AM »
No, these two settings are completely unrelated.
There's no settings that would disable or enable the internal emulator.

Thank you!

Offline JLJ-o-matic

  • Jr. Member
  • **
  • Posts: 45
Re: Current javascript bug mitigation
« Reply #11 on: March 14, 2020, 05:25:20 AM »
Followup: FWIW I updated to 20.1.2397 and no apparent problems. THX