Avast Patches AV Zero Day

Thursday, October 8, 2015 @ 04:10 PM gHale

Avast patched a Zero Day exploit inside its antivirus tool.

The bug infiltrated machines when users would access Web pages protected through HTTPS connections, said Tavis Ormandy, a Google Project Zero engineer that discovered the flaw.

Fortinet Fixes Antivirus Vulnerability
Zero Day in FireEye Antivirus
Kaspersky Fixes Antivirus Zero Day
Zero Day Flaws in Browsers for Android

Because the Avast antivirus would tap into encrypted traffic so it could scan for threats but was using a faulty method for parsing X.509 certificates, this allowed attackers the possibility to execute code on the users’ computer.

“We have released a fix via virus definition updates last week. There is no action required by the user,” Avast officials said.

The only condition was users would access a malicious HTTPS website, which is not such a far-fetched scenario.

Ormandy released a proof-of-concept on Project Zero’s Google Group after the antivirus company issued a fix.

This is the third antivirus solution that suffered a Zero Day vulnerability in the past 30 days.

Kaspersky was one firm that suffered a Zero Day as did FireEye on their antivirus tools.