Archive for Avast

PoC Released For Windows Win32k Bug That Was Exploited In Attacks

Posted in Commentary with tags on June 10, 2023 by itnerd

A proof of concept that relates to a Win32k vulnerability that was patched in May’s “patch Tuesday” release has been released by security researchers:

The vulnerability is tracked as CVE-2023-29336 and was originally discovered by cybersecurity firm Avast. It was assigned a CVSS v3.1 severity rating of 7.8 as it allows low-privileged users to gain Windows SYSTEM privileges, the highest user mode privileges in Windows

Avast says they discovered the vulnerability after it was actively exploited as a zero-day in attacks. However, the company has declined to share further details with BleepingComputer, so it is unclear how it was abused.

To raise awareness about the actively exploited flaw, and the need to apply Windows security updates, CISA also published an alert and added it to its “Known Exploited Vulnerabilities” catalog.

Exactly a month after the patch became available, security analysts at Web3 cybersecurity firm Numen have now released full technical details on the CVE-2023-29336 flaw and a PoC exploit for Windows Server 2016.

To be clear, this is a threat to anyone running running Windows 8, 10 and Windows Server 2016. Windows 11 users appear to be immune.

Joe Saunders, CEO, RunSafe Security had this comment on this bug:

“We need to pursue ways to protect HEAP and STACK from attacks through memory safety techniques. About 60% of known memory vulns have active exploits available, but it pays to address the entire class of vulns through memory safety as opposed to chasing each one,  vuln by vuln with patch by patch.”

To protect yourself from this vulnerability, your best course of action is to make sure your Windows systems are fully patched. At least until the next vulnerability appears.

Leave a comment »

NortonLifeLock To Merge With Avast

Posted in Commentary with tags , on August 12, 2021 by itnerd

Antivirus vendor NortonLifeLock has said it will merge with Britain’s Avast PLC in a transaction combining cash and stock in two different options, totaling between $8.1 billion and $8.6 billion in stock:

That value is roughly equivalent to the value in U.S. dollars of Avast’s enterprise value, which takes into account its cash and debt, of 6.5 billion pounds, based on the closing price of Avast stock Tuesday of 5.68 pounds on the London Stock Exchange. The two companies said in the joint press release that their respective boards of directors see an opportunity to “create a new, industry-leading consumer Cyber Safety business, leveraging the established brands, technology and innovation of both groups to deliver substantial benefits to consumers, shareholders, and other stakeholders.” 

The two companies said the deal will bring together product lines that are broadly complementary, while giving the combined company a user base of over half a billion customers. The deal will broaden the geographic market coverage of the combined company. In addition, the two expect to realize “$280 million of annual gross cost synergies.” Under terms of the deal, “Avast shareholders will be entitled to receive a combination of cash consideration and newly issued shares in NortonLifeLock with alternative consideration elections available.”

I’m interested to see how this merger goes and if things are better or worse with these products. Because at the end of the day, the only thing that matters if these products perform and do their jobs well. If not, these products will be footnotes in history.

Leave a comment »

If You Value Your Privacy, Stop Using CCleaner NOW!

Posted in Commentary with tags on August 2, 2018 by itnerd

Many people on the PC side of the fence and quite a few Mac users as well have been known to use CCleaner to clean up junk off their computers. I am included in that list. But I’ve stopped using and recommending it recently. The company behind CCleaner was bought by Avast last year. Since that happened I’ve seen advertising and what I consider malware creeping into the product.

It now seems that the product has completely jumped the shark as Avast has decided that it is perfectly fine to bundle in spyware as the software now has the ability to phone home. BetaNews first spotted this change with this text:

CCleaner now sends a heartbeat every 12 hours which reports up-to-date usage statistics to allow for faster delivery of bug fixes and product improvements

So the way I read this, it phones home every 12 hours and tells Avast how I am using the product.

#Fail.

It also seems to be turned on by default, which is a problem in the EU because the GDPR says that should be an opt in sort of thing. But even if you wanted to turn it off, it will just turn itself back on.

#EpicFail

Now this forum post from the company indicates that the blowback from this has been epic and that the company will address this “in the coming weeks” with a new version that they hope will pacify you. But I think that Avast has jumped the shark on the trust front a very long time ago. Remember, these were the guys who were doing a man in the middle attack with their Mac antivirus app in the interests of protecting you. Thus they have a bit of a track record in terms of not being trusted. My advice is to avoid CCleaner and delete it from your system. But if you need a utility like CCleaner, there are some options. On the Mac side of the fence, a great option is Onyx. On the PC side of the fence there’s KCleaner or WiseCleaner. Those are worth a look and they’re all free.

 

Leave a comment »

Avast Snags AVG In $1.3 Billion Deal

Posted in Commentary with tags , on July 7, 2016 by itnerd

In a blockbuster deal, Netherlands based anti-virus software maker AVG has been acquired by Avast in a huge deal that is worth $25 a share or $1.3 Billion US in total. Here’s why Avast did the deal:

Avast said that it’s acquiring AVG to “gain scale, technological depth, and geographical breadth” and so it can “take advantage of emerging growth opportunities in internet security, as well as organizational efficiencies.”

The combined company will have access to “400 million endpoints” — that is, devices that have some form of Avast or AVG application installed. Almost half of those are mobile, which is key in a world that is increasingly shifting away from the desktop. Access to more devices will serve the joint company a bigger pool of data on malware, meaning it should be better positioned to offer improved security products.

“We are in a rapidly changing industry, and this acquisition gives us the breadth and technological depth to be the security provider of choice for our current and future customers,” said Vincent Steckler, CEO of Avast. “Combining the strengths of two great tech companies, both founded in the Czech Republic and with a common culture and mission, will put us in a great position to take advantage of the new opportunities ahead, such as security for the enormous growth in IoT.”

This deal basically takes two of the biggest players and takes them down to one. But you could see it coming as Microsoft for example is stepping up its game when it comes to endpoint security and anti-virus. Plus sales in this space are at best, flat. Thus consolidation was likely the way to go for both parties. Of course the shareholders of AVG have to approve this deal, but that shouldn’t be a problem given that the boards of both companies have given their approval.

Leave a comment »

Avast Responds To My Post About Their Anti-Virus Product

Posted in Commentary with tags , on May 21, 2015 by itnerd

Frequent readers will recall that while I was traveling on business in India and Australia, I tripped over something weird in the airport in Dubai:

Before I board my flight, I should mention that I am seeing what looks like “man in the middle” behavior when it comes to SSL connections. Certificates appear to be coming from the access point and not from the server. I haven’t got time to definitively prove this, but if this is the case, this is not cool.

I didn’t seriously troubleshoot this until I got home from the trip. When I did, I discovered that it was the Avast anti-virus application that was the issue:

What Avast is doing is known as a “Man In The Middle Attack” where you get in the middle of a secure connection between two parties and intercept data. This is very similar to what the adware that Lenovo had on some of their computers was doing. That my friends is completely unacceptable. When you use SSL certificates, you are assuming that the connection is secure (or at least as secure as it can be) from those who would like to do something evil to you. So when a company like Avast does something as extremely stupid as this, they potentially expose their customers to all sorts of risks which is ironic as you’re using a product like Avast Anti-Virus to protect you from risks. Not only that, one has to wonder what info Avast has access to by doing this? When I go online to bank, can they see my personal info for example? I doubt they’re looking, but you really have to wonder. 

I was so bothered by this, I stopped using Avast. That was back in late March. Yesterday, I was contacted by a representative of Avast. Here’s what they said:

Hi IT Nerd,
We apologize for alarming you during your travels, but we would like to explain our HTTPS scanning feature in order to clarify what Avast is doing, as it is not a MiTM scheme. 

As more and more online services are moving to HTTPS-by-default or even HTTPS-only, attacks are increasingly coming over HTTPS. That’s why it is imperative for security software to check this attack vector. To address this, our trusted Web Shield technology (and Mail Shield) scans HTTPS sites for malware and threats.

To detect malware and threats on HTTPS sites, Avast must remove the SSL certificate and add its self-generated certificate. Our certificates are added into the root certificate store in Windows and in major browsers to protect against threats coming over HTTPS traffic that otherwise could not be detected. 

If you do not want Avast to scan HTTPS traffic, you have the option of disabling the feature in the Avast settings: (-> Avast -> Settings -> Active Protection -> Web Shield -> uncheck “Enable HTTPS scanning”)

Avast whitelists websites if we learn that they don’t accept our certificate. Users can also whitelist sites manually, so that the HTTPS scanning does not slow access to the site. 

I hope this mitigates your anxiety, and that you will continue to trust and use Avast as protection on your Macs and that you will recommend Avast to your customers. 

Best regards,
Deborah Salmi
Global social media manager
Avast Software

While I appreciate the fact that someone from Avast reached out to me. I don’t agree that this is not a man in the middle scheme. Let me explain why. When you want to scan secure traffic such as HTTPS traffic from websites for viruses and the like, you have three ways to do it:

  1. You add a “hook” in the client SSL library so that you get the outgoing data right before it gets encrypted, and the incoming data just after it has been decrypted. This is an option that a lot of anti-virus vendors go with. Though it requires them to do a lot more work. For example, Firefox and IE implement SSL differently. So the anti-virus vendor would have to write code that recognizes how each browser does SSL. That’s a lot of work and if you multiply that by the number of browser types and add to that the number of e-mail clients that are out there, that increases the amount of work that an anti-virus company has to do. But many do and do it well.
  2. Secure traffic requires public and private keys for encryption to work. You have the former, the server has the latter. If you had both, you can scan all the traffic you want. But this is clearly not a workable solution unless you control the server in question. That’s because no third party server is going to give anyone their private key. Thus this option is usually off the table.
  3. You use a Man in The Middle scheme, which includes generating a fake server certificate on a certificate authority that you control and that has been installed in the “trusted CA” store of the client. This method is easy to implement and generally works (though it is possible to break client certificates using this method which would in turn take away your ability to access some resources). The main reason I am not a fan of this method is that it can create potential security risks. An example of this is the adware that Lenovo had on some of their computers which opened up massive security holes on the computers that it was installed on.

In short, Avast is using option number three and that’s not good. I say that because you have to trust that they way they implement option number three doesn’t ever open you up to some third party pwning you. You also have to trust that Avast themselves aren’t doing anything nefarious. I’m pretty sure that they’re not, but I am not 100% sure. Admittedly, that’s likely a side effect of the things that people like Edward Snowden have reported. The fact that you can turn it off if you don’t like it is not a solution either. Avast is correct when they say that more and more of your online world is moving towards secure traffic and you have to protect yourself from threats that use secure traffic. But the way they do it isn’t how it should be done. I would encourage Avast to abandon this method and move to something far more secure, such as using the “hook” method that I described earlier. That would encourage me to use an Avast product again.

In case you were wondering if Avast were the only ones guilty of using a man in the middle scheme, they’re not. ESET’s NOD32 based on my Google searches does something very similar. There are likely others that do this as well. If you want to know which method your anti-virus application uses, try to connect to various HTTPS sites and have a look at their certificate chain which is what I did when I was looking at this back in March. If all the chains go back to a single certificate authority that you don’t recognize or in the case of Avast says that it’s from the “Avast Trusted CA”, then that’s the man in the middle method. If the chains go back to various existing root CAs that you recognize, then that’s the “hook” method. Remember, the “hook” method is good. The Man In The Middle method is bad. And any anti-virus vendor that uses the latter should be avoided.

2 Comments »

Avast Anti-Virus For Mac Uses “Man In The Middle” Scheme To “Protect” You… Yikes! [UPDATED]

Posted in Commentary with tags , on March 21, 2015 by itnerd

When I was traveling to India and Australia, I started to notice that every time I started Apple Mail, I would get this popup:

Avast 1

What it was telling me was that because I was using SSL, it could not verify the identify of my e-mail server and something else might be pretending to to be my e-mail server. That was a concern and I because I first saw this in the Dubai Airport, I thought it was their WiFi that was doing this.

Boy, was I wrong on that front.

I really didn’t have time to pursue it then, but since I’ve got back to Canada, I’ve looked into this and discovered a very troubling cause. When you click on “Show Certificate” you get this:

Avast 2

If you look at the red rectangle, the certificate is issued by “Avast untrusted CA”. Now I run my own mail server and I buy certificates from Verisign. So the only explanation for this is that Avast Anti-Virus For Mac is substituting my certificates for its own. What’s worse is that it expired around the time I left for my trip, which is why I was getting the pop ups in the first place. If that hadn’t happened, I would not have noticed. I confirmed that this was the case by disabling their “Mail Shield” feature as pictured below:

Avast 3

The second I did that, the problem went away and I confirmed that the certificates I purchased were in use. I continued to dig and discovered that Avast is doing the same thing with its “Web Shield”. When I go to Google.ca and check the certificate, I get this:

Avast 4

It uses a “Avast trusted CA” certificate. Disabling the “Web Shield” allows the browser to use whatever certificate the website provides.

What Avast is doing is known as a “Man In The Middle Attack” where you get in the middle of a secure connection between two parties and intercept data. This is very similar to what the adware that Lenovo had on some of their computers was doing. That my friends is completely unacceptable. When you use SSL certificates, you are assuming that the connection is secure (or at least as secure as it can be) from those who would like to do something evil to you. So when a company like Avast does something as extremely stupid as this, they potentially expose their customers to all sorts of risks which is ironic as you’re using a product like Avast Anti-Virus to protect you from risks. Not only that, one has to wonder what info Avast has access to by doing this? When I go online to bank, can they see my personal info for example? I doubt they’re looking, but you really have to wonder.

Now my guess is that Avast is using this “Man In The Middle” scheme to intercept any sort of bad stuff that might hit your system. Thus they have good intentions, but it’s still pretty stupid and deserves to be called out because you have to hope that Avast is going to be trustworthy. Even if they are, some evil doer can leverage what Avast has done to cause all sorts of havoc on your system.

My friends, it’s not worth the risk.

As of last night, I no longer have Avast on any of my Macs. Nor am I recommending it to any of my customers. Plus I will be updating my review on this product to link to this story. Avast really dropped the ball here and they need to change the way they protect users if they wish to stay in business. Because creating an environment where you or some evil doer can snoop on users is not a good business model.

UPDATE: Avast responded to me. Click here to see what they said.

4 Comments »

Review: Avast Free Antivirus For Mac [UPDATED – Not Recommended]

Posted in Products with tags on August 20, 2014 by itnerd

There’s lots of choice out there for Mac users who need a free antivirus product. Avast has a strong player with it’s free antivirus for Mac application. It’s simple to install once you download it. Once you install it, you’re not going to find a ton of security features like schedulers, junk cleaners, or backup utilities. Were talking about  basic protection on a local, email, and browser level. Now that’s not a bad thing as Avast has clearly decided to make this antivirus app as simple and easy to use. This sort of thinking extends to the user interface. Status updates are kept to a minimum. Periodically, Avast Free Antivirus throws a notification at you via an unobtrusive pop-up in the top right hand corner. Any options to do anything interesting exist inside the app which you get to via the menu bar icon that gets installed along with the app. In terms of scanning, it’s not the fastest antivirus app that I’ve tested. It took about 30 minutes to scan my Mac and it did find a couple of PC viruses that I had planted to test it. Importantly, it did not affect the speed of my Mac which is important as you don’t want to have your antivirus app slow you down. One handy feature is that if you have an Avast account, you can expand it to monitor any device or computer that’s been registered with that account and it will display on your Mac.

What’s my bottom line? Avast Free Antivirus is clearly designed and developed as a no-frills, quick security solution for Mac users. If you’re not a power user, you should try it out. I think you’ll like what it brings to the table.

UPDATE: I no longer recommend this product as it uses a “Man In The Middle” scheme to protect you which is extremely stupid and risky. More details here.

Leave a comment »