Chris Underhill Head of IT and Security at UK-based cyber security firm, Cyber Security Partners have the following comments on the Avast SafeZone flaw.
[su_note note_color=”#ffffcc” text_color=”#00000″]Chris Underhill, Head of IT and Security at UK-based Cyber Security Firm, Cyber Security Partners:
How could such a flaw have happened in a “secure” browser from an IT security company?
This type of vulnerability is due to rapid release cycles and inadequate security testing. Quite frankly, an IT security company like Avast should not have fallen victim to a hole in the Chromium security chain. This type of issue should have been easily flagged in product testing.
Sadly, Avast is not alone in its failings. A number of other companies, including Comodo and Malwarebytes, are also on the Google hit list for poor implementation on top of Chromium that has generated security flaws. Nevertheless, this doesn’t take away from the fact that it is an avoidable issue and, as such, entirely unacceptable.
Should the firm have spotted the issue earlier?
There is no excuse for missing this issue. Chromium is a rapidly updated project and vendors such as Avast need to keep pace with the fast release cycle. It is their duty to identify any issues in the SafeZone code before the bad guys are able to exploit it.
There is, however, a greater need for transparency with 3rd parties who build on Chromium thinking it’s automatically going to inherit the security reputation of Google’s main browser.
Would users be better off sticking with the main Chrome browser instead?
The protection, which exists in the original Chromium, was not present in SafeZone, making it possible for an attacker to ultimately construct a payload that can read local files on a victim’s machine. As these vulnerabilities do not exist in the Chromium base, users would have arguably been safer by not using the product at all.[/su_note]
[su_box title=”About Cyber Security Partners” style=”noise” box_color=”#336588″]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.