{"id":3543,"date":"2020-06-02T23:40:55","date_gmt":"2020-06-02T23:40:55","guid":{"rendered":"https:\/\/www.affinite.fr\/index.php\/2020\/06\/02\/une-faille-critique-dans-avast-permettait-de-pirater-les-ordinateurs-a-distance\/"},"modified":"2020-06-02T23:40:55","modified_gmt":"2020-06-02T23:40:55","slug":"une-faille-critique-dans-avast-permettait-de-pirater-les-ordinateurs-a-distance","status":"publish","type":"post","link":"http:\/\/www.affinite.fr\/index.php\/2020\/06\/02\/une-faille-critique-dans-avast-permettait-de-pirater-les-ordinateurs-a-distance\/","title":{"rendered":"Une faille critique dans Avast permettait de pirater les ordinateurs \u00e0 distance"},"content":{"rendered":"<p> [ad_1]<br \/>\n<br \/><img decoding=\"async\" src=\"https:\/\/img.bfmtv.com\/i\/0\/0\/480757\/b30069f943717d0dcb97f63b9c.jpg\" \/><\/p>\n<div itemprop=\"articleBody\">\n<p>Les cordonniers sont souvent les plus mal chauss\u00e9s. C\u2019est \u00e9galement vrai pour les \u00e9diteurs de logiciels de s\u00e9curit\u00e9. Deux chercheurs en s\u00e9curit\u00e9 de Google Project Zero, Tavis Ormady et Natacha Silvanovich, ont r\u00e9cemment d\u00e9tect\u00e9 une faille critique dans l\u2019interpr\u00e9teur Javascript du moteur antivirus d\u2019Avast. Cette vuln\u00e9rabilit\u00e9, dont ils r\u00e9v\u00e8lent d\u00e9sormais tous les d\u00e9tails, \u00e9tait particuli\u00e8rement nocive, car elle permettait d\u2019ex\u00e9cuter du code \u00e0 distance avec les plus hauts privil\u00e8ges (System).<\/p>\n<div data-force-click=\"true\" class=\"bloc\">\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">Here are the details of the remote code execution vulnerability <a href=\"https:\/\/twitter.com\/natashenka?ref_src=twsrc%5Etfw\">@natashenka<\/a> and I found in Avast Antivirus earlier this year. An unsandboxed JavaScript interpreter was running untrusted JavaScript with SYSTEM privileges ?\u200d\u2642\ufe0f<a href=\"https:\/\/t.co\/JE7VZuKUJN\">https:\/\/t.co\/JE7VZuKUJN<\/a><\/p>\n<p>\u2014 Tavis Ormandy (@taviso) <a href=\"https:\/\/twitter.com\/taviso\/status\/1267496824396365827?ref_src=twsrc%5Etfw\">June 1, 2020<\/a><\/p><\/blockquote><\/div>\n<p>C\u2019\u00e9tait d\u2019autant plus risqu\u00e9 que l\u2019\u00e9diteur n\u2019a impl\u00e9ment\u00e9 que peu de protections autour de son interpr\u00e9teur fait maison. <em>\u00ab\u00a0Bien que [ce processus] soit hautement privil\u00e9gi\u00e9 et qu\u2019il traite par d\u00e9finition des entr\u00e9es non fiables, il ne tourne pas dans un bac \u00e0 sable et ne dispose que de peu de garde-fous. Toutes les vuln\u00e9rabilit\u00e9s d\u2019un tel processus sont hautement critiques, peuvent \u00eatre transform\u00e9es en ver et sont facilement accessibles aux attaquants distants\u00a0\u00bb<\/em>, explique Tavis Ormandy dans une note de blog. Difficile de faire pire en la mati\u00e8re.<\/p>\n<aside class=\"bg-color-0 padding-inside-all-s bloc border-s\">\n<h4 class=\"box-txt-normal\">\n<p><b>A d\u00e9couvrir aussi en vid\u00e9o<\/b><\/p>\n<\/h4>\n<\/aside>\n<p>La bonne nouvelle, c\u2019est que cette faille a \u00e9t\u00e9 corrig\u00e9e assez rapidement. Alert\u00e9 le 3\u00a0mars, Avast a \u00e9vacu\u00e9 le probl\u00e8me le 11\u00a0mars\u2026 en d\u00e9sactivant purement et simplement son interpr\u00e9teur. Dans un tweet, l\u2019\u00e9diteur a ajout\u00e9 que cela n\u2019impacterait pas le fonctionnement du produit qui dispose <em>\u00ab\u00a0de plusieurs couches de s\u00e9curit\u00e9\u00a0\u00bb<\/em>. Certains twittos ont n\u00e9anmoins estim\u00e9 qu\u2019une telle faille \u00e9tait la preuve <em>\u00ab\u00a0d\u2019une incomp\u00e9tence crasse en mati\u00e8re d\u2019architecture de s\u00e9curit\u00e9\u00a0\u00bb<\/em>. Ouch\u00a0!<\/p>\n<p><strong>Source<\/strong>: <a href=\"https:\/\/bugs.chromium.org\/p\/project-zero\/issues\/detail?id=2018\" target=\"_blank\" rel=\"noopener noreferrer\">Google<\/a><\/p>\n<\/p><\/div>\n<p><script async src=\"http:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><script>\n         !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function()\n         {n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}\n         ;if(!f._fbq)f._fbq=n;\n             n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;\n             t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,\n                 document,'script','https:\/\/connect.facebook.net\/en_US\/fbevents.js');\n         fbq('init', '1065890633454496');\n         fbq('track', 'PageView');\n     <\/script><br \/>\n<br \/>[ad_2]<br \/>\n<br \/><a href=\"https:\/\/www.01net.com\/actualites\/une-faille-critique-dans-avast-permettait-de-pirater-les-ordinateurs-a-distance-1925792.html\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[ad_1] Les cordonniers sont souvent les plus mal chauss\u00e9s. C\u2019est \u00e9galement vrai pour les \u00e9diteurs de logiciels de s\u00e9curit\u00e9. Deux &hellip; <a href=\"http:\/\/www.affinite.fr\/index.php\/2020\/06\/02\/une-faille-critique-dans-avast-permettait-de-pirater-les-ordinateurs-a-distance\/\" class=\"more-link\">Plus <span class=\"screen-reader-text\">Une faille critique dans Avast permettait de pirater les ordinateurs \u00e0 distance<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":3544,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-3543","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tous"],"_links":{"self":[{"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/posts\/3543"}],"collection":[{"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/comments?post=3543"}],"version-history":[{"count":0,"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/posts\/3543\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/media\/3544"}],"wp:attachment":[{"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/media?parent=3543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/categories?post=3543"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.affinite.fr\/index.php\/wp-json\/wp\/v2\/tags?post=3543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}