In October 2019, our ongoing collaboration with the security community paid dividends when four external security researchers discovered a local privilege escalation vulnerability affecting the Avast Secure Browser (ASB) updater. This was a first for Avast as never before have four researchers reported the same vulnerability to us; a pleasant indication that the security research community is alive and active.
A privilege escalation is the exploitation of a bug that allows for access to properties of a computer system that are usually out of bounds. In this particular case, Avast Secure Browser’s updater, a privileged process responsible for delivering product updates to a user’s machine, was writing an INI configuration file to a user-shared location (commonly known as ProgramData) and then setting full access permissions on this file.
Since the updater writes to this configuration file as an elevated process, it was possible that the configuration file could be replaced with a symlink (i.e. a pointer to another file), causing the updater to overwrite the target file. This exploit could have been used to allow an attacker to corrupt any file, including system files and personal user files.
Furthermore, because the updater elevated the configuration file’s permissions, it could have been replaced with a symlink thus allowing an attacker to elevate the access permissions on the target file. This would have given the attacker elevated access to that file and the potential to replace or inject it with malicious code. If said target file turned out to be an executable that runs with elevated permissions, it could have allowed the malicious code to execute accordingly.
In order to benefit from the bug’s existence, the attacker would have required login access to the user’s computer with the ability to create symlinks. Although the bug’s risk of abuse is lower than a remote vulnerability’s, the security model is still affected, which is why our engineers worked hard to fix the problem by eliminating the need for the configuration file altogether.
Special thanks to…
Last week, we launched a Bounty Hunter Credits page as an additional token of appreciation for the ongoing support from the external research community. This page is a tribute to them and a chance to recognise their work.
So, thank you to the four researchers Silton Santos, security analyst at Tempest Security Intelligence, as well as security researchers Giulio Comi, Phil Castellanos, and Jimmy Bayne, for discovering and reporting the bug in the ASB updater, and to the entire whitehat community for its philanthropy and enthusiasm to fix issues that are broken.
If you have discovered a bug in any Avast product, visit our bug bounty page to find out how you can submit your analysis and review the terms and conditions of our program.