On Tuesday, an AVAST spokesperson told SCMagazine.com that an undisclosed vulnerability in Simple Machines Forum (SMF) 2.0.6, the longtime platform of choice for AVAST, could have been what enabled an attacker to compromise information on nearly 400,000 AVAST forum users.
On Wednesday, Liroy van Hoewijk, CEO of SMF developer Simple Machines, told SCMagazine.com that this is not the case.
“[AVAST] might genuinely be convinced that the attack vector is within SMF, [but] we place question marks on that notion,” van Hoewijk said. “If there was any evidence, we'd instantly admit it, apologize and issue an immediate patch. However, no such evidence has been shown.”
Van Hoewijk said that SMF 2.0.6 does not contain any known vulnerabilities, nor were any patched, publicly or quietly, in 2.0.7, the most recent version. Van Hoewijk further questioned if AVAST was using 2.0.6 at all, citing the 2012 copyright of AVAST's latest SMF installation as evidence.
In a Wednesday post in response to the AVAST forum breach, William Wagner, the SMF project manager who also goes by the name ‘Kindred,' wrote that SMF 2.0.4 used a 2013 copyright, meaning that AVAST might have performed a manual update and did not apply the full SMF-approved patches.
“Patches change version numbers, and if a year changed, it also updates that,” van Hoewijk said. “It only does not change when the update is applied manually instead of automated, but in that case you must still deliberately skip it by ignoring that part of the update.”
If that is the case, then AVAST could have been impacted by one of the vulnerabilities present in SMF 2.0.5 or prior – bugs that were patched in 2.0.6, van Hoewijk said, explaining that AVAST only yesterday decided to share source code and partial log files after initially not being forthcoming with information.
So what did happen?
Simple Machines is helping to figure that out by analyzing the information sent over by AVAST, but van Hoewijk speculated that it could have been anything from an administrator whose password was compromised, to poorly applied patches as a result of manual updates, to vulnerabilities in custom code, modifications, or the server software.
“Evidence, [the copyright], points to the fact that they never used the package manager to apply patches,” van Hoewijk said. “[If] they manually updated files, they may not have fully upgraded their systems with every bit of every patch, as is required to bring it on par with security fixes.”
Also in the post, Wagner debunked rumors of a Remote Code Execution vulnerability that could impact SMF 2.0.6.
AVAST announced on Sunday that its forums were hacked and that usernames, email addresses and encrypted passwords were compromised for 0.2 percent, or about 400,000, of its 200 million forum users.
SCMagazine.com contacted AVAST on Wednesday for a follow-up comment, but a spokesperson said that the computer security company had nothing else to add at the time.