Antivirus maker Avast has disabled a core component of its antivirus to address a severe vulnerability that would have allowed attackers to control users’ PC.

The Antivirus maker Avast has disabled a major component of its antivirus engine to address a severe vulnerability that would have allowed attackers to hack into users’ PCs.

The issue was discovered by the popular white-hat hacker and Google vulnerability researcher Tavis Ormandy, it resides in the Avast’s JavaScript engine, which is an internal component of the popular antivirus.

Wow – Avast decided to disable their JavaScript interpreter globally!



The vulnerability report they mention wasn't just me, it was a Project Zero collaboration with @natashenka 🔥🔥🔥



I think this is the right decision, it was a *lot* of attack surface. https://t.co/iFyry17HD0 — Tavis Ormandy (@taviso) March 11, 2020

The Avast’s JavaScript engine is used to analyze JavaScript code to detect malicious code before it is executed in the users’ browsers or email clients.

Ormandy pointed out that the main Avast antivirus process, AvastSvc.exe, which, runs as SYSTEM.

The service loads the low level antivirus engine, and analyzes untrusted data from sources such as the filesystem minifilter or intercepted network traffic.

“Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers.” explained Ormandy. “So.. maybe not great that it includes a custom JavaScript interpreter….???? 🙃”

The vulnerability researcher also released a tool that he used in his tests.

I have something fun for you, I pulled the javascript interpreter out of Avast and ported it to Linux 😆



This runs unsandboxed as SYSTEM, any vulns are wormable pre-auth RCE on 400M endpoints ¯_(ツ)_/¯https://t.co/vGrfke7fPd 🐧 pic.twitter.com/gk1VpvHQ16 — Tavis Ormandy (@taviso) March 9, 2020

Ormandy explained that this flaw is trivial to exploit, an attacker could trigger it by sending to a user running the flawed antivirus a malicious JS or WSH file via email, or tricking the victims into accessing a specially-crafted that contains the malicious JavaScript code.

The Avast antivirus would download and run the malicious JavaScript code inside its engine, allowing the execution of arbitrary code on the target computer with SYSTEM-level access.

At the time of writing, the antivirus maker has yet to address the bug with a specific patch, it only mitigated the problem by disabling the antivirus’ JavaScript component.

In a statement Avast sent to ZDNet, the antivirus maker confirmed that the mitigation action it implemented will not affect the functionality of its AV.

We have fixed this by disabling the emulator, to ensure our hundreds of millions of users are protected from any attacks. This won’t affect the functionality of our AV product, which is based on multiple security layers.” reads the statement released by the security firm.

Pierluigi Paganini