11.03.2020

Avast disables part of its antivirus product to prevent remote code execution

Avast this week disabled a JavaScript interpreter that is part of its antivirus product, after security researcher Tavis Ormandy from Google discovered a vulnerability that could potentially lead to remote code execution.

The main Avast antivirus process is called AvastSvc.exe, which runs as SYSTEM, Tavis Ormandy explains. That service loads the low level antivirus engine, and analyzes untrusted data received from sources like the filesystem minifilter or intercepted network traffic.

Despite being highly privileged and processing untrusted input by design, it is unsandboxed and has poor mitigation coverage. Any vulnerabilities in this process are critical, and easily accessible to remote attackers.

Earlier this week, the researcher released a tool to allow for vulnerability analysis in the emulator, warning that any issues discovered would likely be “critical and wormable.”

Two days later, Avast decided to disable the emulator globally, to ensure that it does not pose a security threat to users.