On March 4th, Avast antivirus was alerted to a vulnerability in its JavaScript emulation engine by researcher Tavis Ormandy. Just a few days later, Ormandy released a tool on GitHub that made analyzing the engine easier. Avast’s JavaScript engine ran with SYSTEM level privileges while processing untrusted JavaScript by design which makes it an attractive target for attackers to attempt remote code execution exploits. On March 11th, the antivirus company announced on Twitter that it had decided to disable the emulator for all users globally.
Analyst Notes
Users of Avast don’t need to take any special action in response to this vulnerability because the company disabled the feature globally. Common phishing and security awareness tips such as not opening or running attachments from unknown senders can go a long way toward preventing attacks against vulnerabilities like this one. Due to the nature of how antivirus applications operate, there are often portions of the software that are designed to run with higher-level privileges which could allow an attacker administrative rights if successfully exploited. Binary Defense highly encourages anyone making use of antivirus products to allow it to continue updating automatically not only to receive the latest antivirus definitions but because of critical security updates such as this one.
Sources: https://twitter.com/avast_antivirus/status/1237685343580753925
https://www.zdnet.com/google-amp/article/avast-disables-javascript-engine-in-its-antivirus-following-major-bug/
