
Avast Antivirus: X.509 Error Rendering Command Execution - mattkrea
https://code.google.com/p/google-security-research/issues/detail?id=546&can=6&sort=summary
======
jimrandomh
Such is the nature of security vulnerabilities: you look at it and it looks
like a really stupid mistake, one that would be really easy to not have made.
But the difficulty of writing secure software is not about avoiding any one
particular mistake; it's the sheer number of mistakes available to be made, so
that it's easy for one mistake to slip through the cracks. To their credit,
they seem to have been pretty quick to respond and fix this one (reported on
Sep 25, patch live on Oct 1).

~~~
dogma1138
A simple adherence to security guidelines for web applications would've
prevented it like HTML encoding any values before reflecting them to the
client.

So while this is very stupid, this ins't excusable under gosh software is
complicated, this is basically XSS in a desktop application.

If this was some RCE through the scanning or sand-boxing engine I would say
fine, but this is pretty much the most common web vulnerability out there, I
don't understand companies that build HTML based interfaces and decide to
simply forgo all of the existing guidelines for web development because it's
not a website.

~~~
jimrandomh
This seems unnecessarily harsh. As you said, XSS is one of the most common
vulnerabilities out there - in other words it's a very easy and common mistake
to make. I wish we lived in a world where writing an XSS vulnerability was
inexcusable incompetence, but the actual world we live in is one where even
the best will slip up sometimes and we have to depend on audits, patching and
defense in depth. (Which is exactly what happened here; a security researcher
audited it, found the problem, and it was promptly patched.)

~~~
dogma1138
XSS is one of the easiest vulnerabilities to both detect and avoid, this
should never had come to the point of release.

------
excel2flow
Please can someone elaborate on claim: "… is pretty simple to convert into
remote code execution"? Especially the "pretty simple" bit.

------
EvanAnderson
The CN on the PoC certificate is amusing.

------
dang
Please do not use the titles of HN submissions to editorialize. (Submitted
title was "Avast Antivirus: X.509 Error Rendering Command Execution (patched
but shocking)".)

~~~
mattkrea
Copy. I sat thinking about the title for a bit. I primarily wanted to point
out that I did not miss the fact that it had been corrected--merely that it is
a surprising vulnerability.

~~~
dang
It's ok to add a first comment to the thread explaining what you find
important about the article.

The reason that's better is that then your comment is on a level field with
everyone else's.

