Avast
No better than the spyware it is supposed to stop.
So much so, Mozilla kicked them out before Christmas.
https://www.theregister.co.uk/2019/12/04/avast_avg_mozilla_takedown/
You'd think HTTPS certificate checking would be a cinch for a computer security toolkit – but no so for Avast's AntiTrack privacy tool. Web researcher David Eade found and reported CVE-2020-8987 to Avast: this is a trio of blunders that, when combined, can be exploited by a snooper to silently intercept and tamper with an …
Maybe they were a top player 15 years ago but Microsoft Security Essentials has been around for 11 years now, and all the sensible analysts saw the writing on the wall and switched around 10 years ago.
Now Microsoft call it something else, but the point is that their AV was designed from the ground up not to subvert the Windows API while AVG was designed from the ground up to subvert the Windows API. 15 years ago, that was the only option, but it was never a good option.
If you don't reevaluate your security measures periodically, you can't know that they are still any good.
It is a sad fact they took the bloated universial fits all cr@pware road, so many formerly good AV utilities did - but I finally trashed it over a year ago when it failed to detect a major drive by attack I got from a infected malvertisement. Sad thing is Essentials or Windows Defender is all we got if we are poor now. But I guess it depends on how you look at it. Almost none of today's competent malware is detectable anyway, so you will have to pay through the nose and get an anti-malware that uses differant tactics than yesterday's AM solution.
ESET is probably one of them, but I've had better luck since I ditched Avast, and left my life time licensed MBAM solution on board. It turned out Avast was too busy blocking MBAM, and when I finally got rid of it, I found MBAM was doing a better job by itself. It can occasionally trip up undetected malware by simply blocking certain actions by enhancing the Window permissions them selves. I know I have an attack when the screen goes black and a windows error box tells me I don't have the permissions to do what "I'm" supposedly trying to do. I think this is also how MBAM fights ransomware - quite similar to CryptoPrevent, but up to date and not free anymore.
If anybody knows of a file cleaner that can get rid of LSO's and Zombie files, please let us know, because now CCleaner has been acquired by Avast, and now it nags you with popup ads as well! So it is just a matter of time before malware finds a vulnerability in it too!
How serious is that?
If the connection between the antitrack proxy and the site was tls1.0 then fine but I thought this was software running on your computer so someone hoping to take advantage of it would have to be able to intercept the internal connection between two bits of software running on the same machine.
The javascript interpreter running as admin and the failure to check the certs seems much more idiotic than using an internal TLS 1.0 connection (if it really is internal, personally I wouldn't touch Avast or AVG with a 10 foot pole so I'm not 100% sure)
If @Matt 83's explanation is accurate, then it isn't exposing you to POODLE as far as I can tell. For POODLE to work, the communications between the client and across a network (usually through a routing device or at the destination site) have to be downgraded to SSL3 or earlier, with the attack occurring on that part of the comms that is at SSL3.
For starters, this is downgrading the connection to TLS1, not SSL3, and as @Matt 83 questioned, is the downgrade along the entire client <-> server communications path, or is it only between the local client browser and the local proxy, where the proxy communicates with the destination site via newer TLS versions? e.g.:
browser <-> TLS1 <-> local (same device as browser) proxy <-> TLS 2+ <-> network
But we don't have enough information, at least from this article, to know. But even then, POODLE requires SSL3 as far as my brief research has found, and, since no citations on POODLE affecting TLS1 were provided, brief is as far as I'll go.
I remember using Avast back in the day and using a couple of the free skins they had available for it. I also remember recommending it as a decent alternative to the big guys.
I saw it on a couple of PCs late last year and wow was it bloated and naggy. They have added some much additional stuff to it that is of course all pay for.
The thing constantly nags you about upgrading to pro or alerts you to a new report about how many infections they stopped worldwide.
Nowadays wouldn't touch it with someone else's bargepole.