Serious flaw forces Avast to disable its JavaScript engine

A flaw discovered in the Avast antivirus JavaScript engine could have made it possible to take control of computers equipped with security software. The editor was forced to deactivate the module concerned.

The Avast editor has just deactivated a component of its famous antivirus following the discovery of a vulnerability that affects millions of computers around the world. The flaw was spotted by Tavis Ormandy, a security researcher on Google’s Project Zero team .

The module in question is the JavaScript engine, which analyzes JavaScript code before it is executed in a browser or messaging software. This emulator is integrated into the main process of the software, which can access the entire system, and works without pit sand to isolate it from other processes.

One email is enough to take control of an affected computer

A simple trapped JS or WSH file, sent by email or a web page with malicious JavaScript code , is enough to exploit this vulnerability. Such a breach would then have allowed the installation of malware on computers protected by antivirus. On Twitter , Avast said that ”  disabling the emulator will not affect the functioning of our AV, which is based on multiple layers of security  .”

Many Twitter users have wondered about the reason for the presence of such a module, if it can be removed without compromising the security of the antivirus. Tavis Ormandy warned Avast of the problem as early as March 4, and waited until March 9 before publishing his tool which had allowed him to discover the flaw . However, it was not until March 11 that the firm reacted by deactivating the JavaScript engine, without communicating information on a possible fix.