Anzeige

Am Puls von Microsoft

Anzeige

BitDefender war angreifbar

  • Ersteller Gelöschtes Mitglied 78250
  • Erstellt am
G

Gelöschtes Mitglied 78250

Gast
Eben gelesen von Wladimir Palant
Exploiting Bitdefender Antivirus: RCE from any website | Almost Secure
Exploiting Bitdefender Antivirus: RCE from any website


Conclusions

It’s generally preferable that antivirus vendors stay away from encrypted connections as much as possible. Messing with server responses tends to cause issues even when executed carefully, which is why I consider browser extensions the preferable way of implementing online protection. But even with their current approach, Bitdefender should really leave error handling to the browser.

...


Timeline
2020-04-15: Reported the vulnerability via the Bitdefender Bug Bounty Program.
2020-04-15: Confirmation from Bitdefender that the report was received.
2020-04-16: Confirmation that the issue could be reproduced, CVE number assigned.
2020-04-23: Notification that the vulnerability is resolved and updates are underway.
2020-05-04: Communication about bug bounty payout (declined by me) and coordinated disclosure.
2020-05-12: Confirmation that fixes have been pushed out. Disclosure delayed due to waiting for technology partners.

* RCE = remote code execution

Es wurde also mal wieder nachgewiesen, dass das tiefe Eingreifen von Antivirus-Software in sichere Bereiche von anderen Programme mal wieder für die Tonne ist. Bitdefender ist nur ein Beispiel. Und an diesem Beispiel ist erkennbar, dass nach Kaspersky mit einer eindeutigen ID auch Bitdefdender mit sowas arbeitet und sogar noch mehr auswertet. Damit wäre auch jegliche Anonymität gen Bitdefender futsch.

Weiter unten in den Kommentaren wird auch Avast angesprochen
I did not finish my investigation of the other extensions which are part of the Avast Secure Browser. Given how deeply this product is compromised on another level, I did not feel that there was a point in making it more secure. In fact, I’m not going to write about the Avast Passwords issues I reported to Avast – nothing special here, yet another password manager that made several of the usual mistakes and put your data at risk.
 
Anzeige
Anzeige
Oben