Author Topic: VPS updates add insecure ACL to DATA folder  (Read 1621 times)

0 Members and 1 Guest are viewing this topic.

Offline zerospam

  • Jr. Member
  • **
  • Posts: 54
VPS updates add insecure ACL to DATA folder
« on: March 17, 2009, 08:36:52 PM »
When I apply a VPS update via the .EXE download (http://avast.com/eng/updates.html), and possibly also through updating/iAVS update, the updater adds an ACL granting the "Users" group full control over the C:\Program Files\Alwil Software\Avast4\DATA folder . While it appears that one of Avast's drivers prevents unauthorized writes to this folder, the "full control" ACL still creates potential vulnerabilities should the driver malfunction.

Also, the "full control" ACL permits any user to read the DATA\log folder, the DATA\chest folder, and possibly other data that the administrator might not want ordinary users to read.