SafeZone, also known as Avastium, is a forked (or modified) version of Google’s Chromium open-source browser. Google’s Project Zero security research team identified a flaw within these code modifications and first alerted Avast on Dec. 18, 2015—giving the company a 90-day window to fix the bug before exposing it publicly.
Once Avast issued a patch on Feb. 3, 2016 — well prior to the imposed deadline — Google released its findings on its security research blog. According to blog author and case researcher Tavis Ormandy, computer or device owners who installed SafeZone as part of Avast’s premium security software suites had been vulnerable to an attack even if they had never used that particular browser.
Indeed, the security alert warned that if an unpatched SafeZone user visits a malicious URL using any web browser, he [the hacker] can launch Avastium and take complete control of it; reading files, cookies, passwords, everything. He can even take control of authenticated sessions and read email, interact with online banking, etc.”
Some industry observers have suggested that Google’s Project Zero research team may be concentrating its time and resources on examining companies whose products are derivatives of Google’s open-source code (case in point: Comodo). A potential motivation for this is to shield Google from any potential legal claims that its foundational source code is in part to blame for a future zero-day attack, suggested Rob Enderle, principal analyst at IT analyst firm Enderle Group, in an interview with SCMagazine.com.
“They do have an interest in making sure that derivative products are not compromised because of something Google did, as there would be inherent liability, whether they give the product away for free or not,” said Enderle, explaining that Google is trying to polish up a spotty reputation for security. It should be noted, however, that Google specifically emphasized in its blog post that its Chromium browser does not feature this discovered vulnerability and that Avast’s modifications directly created the bug.
Enderle also said that Avast’s response time to Google’s private vulnerability disclosure was “not horrible.” However, had a bad actor been able to exploit the vulnerability, nothing short of a 15-minute mitigation would have been acceptable. Responding in less than two months’ time is “better than it has been in the past—certainly the late ’90s and 2000s, but in this age we measure [mitigation] speed a whole lot differently. It’s actually measured in minutes and hours, not days and months,” said Enderle.