Vulnerability Management

Avast patches decade-old vulnerabilities in antivirus product

Avast’s Prague headquarters. (Photo: Avast)

Earlier this year, Avast quietly patched two similar vulnerabilities in its antivirus product that went undiscovered for a decade.

The vulnerabilities, both discovered by SentinelOne's SentinelLabs, were introduced into Avast in January 2012, and were copied into AVG when the companies merged in 2016.

"Our vulnerability research team has been doing a lot of work just going through different drivers and products that people use on a regular basis, and essentially just checking the security engineering checking the standard of how things are built. And obviously looking for vulnerabilities," said Juan Andres Guerrero-Saade, principle threat researcher at SentinalLabs.

The vulnerabilities, which lay in wait for the time it took the Marvel Cinematic Universe to release 22 movies, resided in the Avast anti-rootkit driver. By tricking the driver to expect a string of a different size than the driver is about to send it, attackers can overwrite data, ultimately resulting in breaking out of a sandbox, disabling security and escalating privilege.

"I'd love to say that it's a super complex vulnerability, but the truth of it is that it isn't," said Guerrero-Saade.

There is no evidence hackers have used the vulnerability in the past.

AVG and Avast customers with the 22.1 update released in January have been patched.

Guerrero-Saade said that the most important takeaway from the research for enterprises is not that the software is vulnerable — which he noted was still true, especially in a world where computers used to work from home may be family computers protected by Avast or AVG. Instead, he said, it is that software built on legacy code often harbors extremely old vulnerabilities.

"The real issue here is misaligned incentives, how most companies don't really have much of an incentive to go back and fix their codebases and look at old code, unless enterprises demand they check if it rises to the standard of security engineering that they would expect in the 2020s," he said. "Nobody rewards you for going back and cleaning up your code. They reward you for new products."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds