Author Topic: "10-year-old vulnerabilities in Avast and AVG put millions of users at risk"  (Read 3131 times)

0 Members and 1 Guest are viewing this topic.

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Please click the following to read Born's Tech and Windows World report on this topic:-

https://borncity.com/win/2022/05/05/10-jahre-alte-schwachstellen-in-avast-und-avg-gefhrden-millionen-nutzer/#more-24356

I maintain a friend's Windows 10 system which is still using Avast Free 21.5.  Updating to a later version is a problem because doing so causes a system behaviour problem.  This may well lock my friend's system out of the Avast rootkit protection software fix which is apparently provided with version 22.1.  OUCH!

Avast urgently needs to issue fixes to all currently supported versions, including my friend's installation.  It is only by luck that I have become aware of this issue.  Avast has up to now been silent.  Please act in order to also protect those who, by no fault of their own, have not been able to update to version 22.
« Last Edit: May 05, 2022, 09:26:18 PM by loungehake »
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
If you use an AV that hasn't updated since Feb of 2022,
Do you really have any protection?
Your AV needs to be kept up-to-date to be fully affective.
Program updates also fix program problems.
The problem described in the article you quoted was reported in Dec. 2021
and fixed in Feb. 2022.
In order for you to not be vulnerable, you need to update the product..
You should also note that the vulnerably described has not be exploited.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
@     loungehake
Well there are two trains of thought:

It isn't Avasts fault they can't or didn't update to Avast 22.1.  I'm still sat on avast 22.2 in no rush for me to get 22.3 0r22.4 that has just been released.

For whatever reason a user chooses not to update or can't update (XP in your signature) is their choice.  Update OS, etc. or stick with whatever OS or version knowing the potential risk.

I don't know if this could be delivered in the virus & engine updates or if the emergency update function is compatible with whichever older version of avast they are using.  A case in point being your use of Avast Free 10.4.2233 with XP when the last supported version for XP was 18.8 - XP related topic - https://forum.avast.com/index.php?topic=220640.0

It already has in avast 22.1.xxxx

Quote from: Avast
Official Avast Statement: Avast is an active participant in the coordinated vulnerability disclosure process, and we appreciate that SentinelOne has worked with us and provided a detailed analysis of the vulnerabilities identified. SentinelOne reported two vulnerabilities, now tracked as CVE-2022-26522 and CVE-2022-26523, to us on December 20, 2021.

We worked on a fix released in version 22.1 in February 2022 and notified SentinelOne of this applied fix. Avast and AVG users were automatically updated and are protected against any risk of exploitation, although we have not seen the vulnerabilities abused in the wild. We recommend our Avast and AVG users constantly update their software to the latest version to be protected. Coordinated disclosure is an excellent way of preventing risks from manifesting into attacks, and we encourage participation in our bug bounty program.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
The system in question is a Windows 10 Pro 64 bit system 21H2.  It is not a voluntary choice not to update Avast 21.5 to 22.1 or later.   I had a similar issue with a Windows 7 system but because it is mine and I don't use it for sensitive purposes, I solved the problem by using Panda Dome Free which is also now working nicely on my XP museum piece.  I had also tried Avast One on Windows 7 but the Avast family similarities also seemed to apply and precluded Avast One from being a usable alternative.

I appreciate that security software gets deep into the OS and hidden flaws can develop in the OS which cause issues like I am alluding to.  There seems to be a login/logout issue between Avast and both Windows 7 and 10.  The Windows 10 system in question would not even present a logon procedure after the attempt was made to update from Avast Free 21.5.  After I had uninstalled Avast 21.8, it was not possible to reinstall 21.5 as the installation process seemed also to create the problem issue.  Fortunately I had done a system backup just previously and restoring from that allowed the system tp run OK with Avast 21.5.  Subsequent Patch Tuesday updates cause no problems.  Puzzling!

I lack the knowledge and capability to reasonably attribute blame to either of the OSs or Avast.
« Last Edit: May 05, 2022, 11:08:56 PM by loungehake »
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline r@vast

  • Avast team
  • Massive Poster
  • *
  • Posts: 2761
Please click the following to read Born's Tech and Windows World report on this topic:-

https://borncity.com/win/2022/05/05/10-jahre-alte-schwachstellen-in-avast-und-avg-gefhrden-millionen-nutzer/#more-24356

I maintain a friend's Windows 10 system which is still using Avast Free 21.5.  Updating to a later version is a problem because doing so causes a system behaviour problem.  This may well lock my friend's system out of the Avast rootkit protection software fix which is apparently provided with version 22.1.  OUCH!

Avast urgently needs to issue fixes to all currently supported versions, including my friend's installation.  It is only by luck that I have become aware of this issue.  Avast has up to now been silent.  Please act in order to also protect those who, by no fault of their own, have not been able to update to version 22.

Hi,

If you (or your friend) cannot update to the latest version, we would recommend that you report it.
You can report it on the forum or if you/your friend have a paid subscription via https://support.avast.com/contact/
By remaining on an outdated version, you won't have the latest protection (there are many more fixes and enhancements overall).

Concerning "Avast has up to now been silent." -
Avast became aware of this issue on December 20, 2021. We worked on a fix released in version 22.1 in February 2022
Avast published an update on February 8, which included the fix for this vulnerability and other bug fixes: https://forum.avast.com/index.php?topic=317641.0 It is common practice among technology companies to fix vulnerabilities in their products without providing information which could lead to their exploitation.

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Thank you r@vast.  I have had success in installing Avast Free 22.4 on the Windows 7 system I mentioned earlier in this thread.  The logon/logout problem has not yet reappeared.  It that situation continues, I will consider that Avast has successfully addressed the problem since Avast 21.

Thank you DavidR for the insights into emergency updates.  I would be surprised if the emergency update facility in version 21.5 was not compatible with an emergency update for version 22.1.  I guess that Avast would have this situation covered.  I hope so.

With my usual bad luck, as soon as I have posted this the problem will return.  ;)

As the man who jumped off the Empire State Building was heard to say as he passed the 70th floor, "So far, so good."
« Last Edit: May 06, 2022, 02:53:47 PM by loungehake »
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
It's still working.  I haven't been able to say that about Avast on my Windows 7 system since August 21.  That must be good.
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline RejZoR

  • Polymorphic Sheep
  • Serious Graphoman
  • *****
  • Posts: 9406
  • We are supersheep, resistance is futile!
    • RejZoR's Flock of Sheep
Avast released update 22.4 few days ago. Using old antivirus just doesn't make sense given that it has best protection capabilities if it's as recent as possible.
Visit my webpage Angry Sheep Blog

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Thanks RejZoR.  I quite agree.  However, even the high quality that is Avast is not 100% assured as I found this morning when an update installation of 22.4 hanged on one of my usually well-behaved Windows 10 PCs.  I uninstalled in safe mode using avastclear.exe and reinstalled using the latest offline installer.  All now seems well.

I look after several Windows 10 PCs and had obstinate logon/logoff issues with a Windows 7 device (mitigated for eigth months by changing to Panda Dome and now solved after I installed Avast 22.4) and a Windows 10 PC which cannot simply be updated beyond 21.5, also because of logon/logoff issues.  That PC is 100 miles away from me at a non-techie friend's home and visiting is no longer straightforward.  No bad system behaviour issues have been reported to me and on-demand scans have found no problems.  I have come to expect occasional nuisance interractions between Avast and Windows.

I do not lightly omit to install version updates.  Sometimes there is no choice.  Better a working older version of Avast than another product.
« Last Edit: May 07, 2022, 10:54:23 AM by loungehake »
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Awful vulnerability. It further damages Avast's reputation.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Awful vulnerability. It further damages Avast's reputation.
Guess you didn't read the article but are simply reacting to the headline.
Reported - Never exploited - Fixed and the only ones affected are those that are still running
an outdated version which is never a good idea.



Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Awful vulnerability. It further damages Avast's reputation.

You're free to choose another AV.  But don't doubt they too could have vulnerabilities, that may or may not have been exploited.  Nor are they likely to be publicly reported for obvious reasons.

To exploit any vulnerability, malware to run the exploit would have to get past the normal Avast Shields.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline loungehake

  • Dummy Half
  • Poster
  • *
  • Posts: 425
  • Come on lad! You've only got 70 yards to go.
Thanks David. That is reassuring.
Windows 10 Pro 22H2 x64, Avast Free 24.1, Malwarebytes Anti-Exploit, Malwarebytes Anti-Ransomware

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Thanks David. That is reassuring.

You're welcome.

Unfortunately the report don't consider how the exploit measure would get on the system to be able to run the exploit.  The headline is the fear factor and not the whole story as to how the exploit might be run on the system.

I hadn't read the report as I personally didn't feel it warranted it (e.g. I didn't fear the issue), but I have just read it and there really isn't much on how this malware would get on the system to run the exploit in the first place.

Outside of this:
Quote from: extract
For example, the vulnerabilities could be exploited as part of a second-stage browser attack, the security researchers write.  Or the vulnerabilities could be used to break out of the sandbox.

This would necessitate getting past the Web Shield and other shields that might cover that area.  So talking only about the potential exploit in isolation and not the overall protection I feel is misleading and more fear mongering.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Awful vulnerability. It further damages Avast's reputation.
Guess you didn't read the article but are simply reacting to the headline.
Reported - Never exploited - Fixed and the only ones affected are those that are still running
an outdated version which is never a good idea.
I read it before it was posted here and also read Trend Micro and Sentinental One's report. The vulnerability has been publicized a lot in several news sites so my point about it damaging Avast's reputation is correct.
Awful vulnerability. It further damages Avast's reputation.

You're free to choose another AV.  But don't doubt they too could have vulnerabilities, that may or may not have been exploited.  Nor are they likely to be publicly reported for obvious reasons.

To exploit any vulnerability, malware to run the exploit would have to get past the normal Avast Shields.

Yes, almost all drivers including AV drivers have vulnerabilities and they are being discovered every year. So Avast is not the only one. These signed drivers can be used to attack kernels so it's always risky. It's always a cat and mouse game.