Avast disables JavaScript engine in its antivirus following major bug

Security flaw could allow an attacker to run malicious code on a user’s machine

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Avasthas decided to disable a major comportment of itsantivirus softwareafter a security researcher discovered a dangerous vulnerability that could put all of the company’s users at risk.

The security flaw, which was first discovered byGoogle’sTavis Ormandy, was found in the company’s JavaScript engine. This internal component of Avast antivirus allows for JavaScript code to be analyzed for malware before it’s allowed to execute in browsers or email clients.

In aGitHub pagecontaining the tool he used to analyze the company’s antivirus software, Ormandy explained just how serious the security flaw is, saying:

“Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers.”

JavaScript engine security flaw

Exploiting the kind of bug that Ormandy discovered in Avast’s JavaScript engine is actually quite easy and an attacker would only need to send a user a malicious JavaScript or Windows Script Host file via email to do so.

Due to the fact that most antivirus software has system level access, once Avast antivirus downloaded one of these malicious files into its own custom engine, an attacker could easily execute malicious operations on a user’s computer. For instance, if an attacker exploited this security flaw, they would then have the ability to installmalwareon an Avast user’s device.

Although the company has been aware of the bug for almost a week, it has not yet released a patch to fix the issue and instead, it decided to disable its antivirus' ability to scan JavaScript code until one is ready.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As of now, there is no news as to when a patch will be ready but Avast did reach out toZDNetwith the following comment, which reads:

“Last Wednesday, March 4, Google vulnerability researcher Tavis Ormandy reported a vulnerability to us affecting one of our emulators. The vulnerability could have potentially been abused to carry out remote code execution. On March 9, he released a tool to greatly simplify vulnerability analysis in the emulator. We have fixed this by disabling the emulator, to ensure our hundreds of millions of users are protected from any attacks. This won’t affect the functionality of our AV product, which is based on multiple security layers.”

ViaZDNet

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

Ireland vs New Zealand live stream: how to watch 2024 rugby union Autumn International online from anywhere