Several antivirus vendors have taken the open-source Chromium browser and created derivatives that they claim are more privacy-friendly and secure. Yet, at least two of them were recently found to have serious flaws that don’t exist in Chromium.
The latest example is the Avast SafeZone browser, internally known as Avastium, which is installed with the paid versions of Avast’s antivirus and security suites. Google Project Zero researcher Tavis Ormandy found a vulnerability that could allow an attacker to take control of Avastium when opening an attacker-controlled URL in any other locally installed browser.
By exploiting the flaw, an attacker could remotely read “files, cookies, passwords, everything,” Ormandy said in a report that he sent to Avast in December and which he made public Wednesday. “He can even take control of authenticated sessions and read email, interact with online banking, etc.”