Decade-old bugs discovered in Avast, AVG antivirus software

Discussions of applications and operating systems and any problems, tips or suggestions. Win XP, 9x/2k, Linux, NT, photo editing, Virus/Spyware help
Post Reply
User avatar
The artist formerly known as Renovation
Posts: 1507
Joined: Wed Feb 17, 2016 10:35 pm

Decade-old bugs discovered in Avast, AVG antivirus software

Post by reno »

Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products which have gone undetected for ten years.

Cyber security 101: Protect your privacy from hackers, spies, and the government
Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.
On Thursday, SentinelOne published a security advisory on the flaws, tracked as CVE-2022-26522 and CVE-2022-26523.

Avast acquired AVG in 2016 for $1.3 billion. According to the cybersecurity firm, the vulnerabilities have existed since 2012 and, therefore, could have affected "dozens of millions of users worldwide."

CVE-2022-26522 and CVE-2022-26523 were found in the Avast Anti Rootkit driver, introduced in January 2012 and also used by AVG. The first vulnerability was present in a socket connection handler used by the kernel driver aswArPot.sys, and during routine operations, an attacker could hijack a variable to escalate privileges.
The second vulnerability, CVE-2022-26523, is described as "very similar" to CVE-2022-26522 and was present in the aswArPot+0xc4a3 function.

"Due to the nature of these vulnerabilities, they can be triggered from sandboxes and might be exploitable in contexts other than just local privilege escalation," SentinelLabs said. "For example, the vulnerabilities could be exploited as part of a second-stage browser attack or to perform a sandbox escape, among other possibilities."

SentinelLabs reported the vulnerabilities to Avast on December 20, 2021. By January 4, the cybersecurity solutions provider had acknowledged the report and released fixes in Avast v.22.1 to deal with the vulnerabilities after triage.

The vulnerabilities were patched by February 11. SentinelLabs said there is no evidence of active exploitation in the wild. ... -software/
Post Reply