For Avast, Ormandy identified that its Avastium browser (a fork of Google Chromium) allowed an attacker to "read any file on the filesystem by clicking a link." The exploit involved using a specially-crafted JavaScript web page that could bypass built-in checks and potentially allow a malicious party to read cookies and email. The issue was first disclosed on December 8th, but Avast released a patched version of its browser on February 3rd.

It's a similar story for Comodo's Internet Security software and its Chromodo browser. When users install the software suite, their existing Chrome installation is replaced with Comodo's own. It was meant to be "private," but it wasn't. When it's executed, "all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices," notes Ormandy.

While Chrome operates a same-origin policy, which ensures that only scripts from the same website can access from each other, Chromodo disabled that protection and left users open to having their private data sniffed by malevolent websites. However, eWeek reports that the fault wasn't with the browser, but an add-on. Comodo director Charles Zinkowski says the company released a new version of the browser without the add-on on February 3rd, which has fixed the issue for all users.

In the case of Malwarebytes, Ormandy found that its Anti-Malware browser wasn't downloading updates securely, which could leave users open to a man-in-the-middle attack. An attacker could mimic the company's built-in checks and run their own code on a user's machine. The issue was severe enough for Malwarebytes CEO Marcin Kleczynski to address it on the company blog, but it could take up to four weeks for them to fix it.

Google's Project Zero discloses vulnerabilities from companies that use the Chromium browser to launch their own secure browsers. The browsers tend to ship alongside anti-virus software and the temptation for vendors is to overwrite users' existing settings to better protect them. As you can see, those methods often disable protections within the browser, leaving some users more vulnerable than before they installed the security tool.