On Tuesday, an AVAST spokesperson told SCMagazine.com that an undisclosed vulnerability in Simple Machines Forum (SMF) 2.0.6, the longtime platform of choice for AVAST, could have been what enabled an attacker to compromise information on nearly 400,000 AVAST forum users.
On Wednesday, Liroy van Hoewijk, CEO of SMF developer Simple Machines, told SCMagazine.com that this is not the case.
“[AVAST] might genuinely be convinced that the attack vector is within SMF, [but] we place question marks on that notion,” van Hoewijk said. “If there was any evidence, we'd instantly admit it, apologize and issue an immediate patch. However, no such evidence has been shown.”
Van Hoewijk said that SMF 2.0.6 does not contain any known vulnerabilities, nor were any patched, publicly or quietly, in 2.0.7, the most recent version. Van Hoewijk further questioned if AVAST was using 2.0.6 at all, citing the 2012 copyright of AVAST's latest SMF installation as evidence.
In a Wednesday post in response to the AVAST forum breach, William Wagner, the SMF project manager who also goes by the name ‘Kindred,' wrote that SMF 2.0.4 used a 2013 copyright, meaning that AVAST might have performed a manual update and did not apply the full SMF-approved patches.
“Patches change version numbers, and if a year changed, it also updates that,” van Hoewijk said. “It only does not change when the update is applied manually instead of automated, but in that case you must still deliberately skip it by ignoring that part of the update.”
If that is the case, then AVAST could have been impacted by one of the vulnerabilities present in SMF 2.0.5 or prior – bugs that were patched in 2.0.6, van Hoewijk said, explaining that AVAST only yesterday decided to share source code and partial log files after initially not being forthcoming with information.
So what did happen?