CVE-2019-17190

Name of the Vulnerable Software and Affected Versions Avast Secure Browser version 76.0.1659.101

Description A Local Privilege Escalation issue was discovered due to an insecure ACL set by the AvastBrowserUpdate.exe when AvastSecureBrowser.exe checks for new updates. The elevated process cleans the ACL of the Update.ini file in %PROGRAMDATA%Avast SoftwareBrowserUpdate and sets all privileges to group Everyone. This allows a low-privileged attacker to create a hard link named Update.ini, pointing to a file writable by NT AUTHORITYSYSTEM. Once AvastBrowserUpdate.exe is triggered, the DACL is set to a misconfigured value on the crafted Update.ini and the target file, allowing the attacker to gain elevated privileges.

Recommendations For Avast Secure Browser version 76.0.1659.101, consider restricting access to the AvastBrowserUpdate.exe and AvastSecureBrowser.exe until a patch is available. As a temporary workaround, avoid triggering the update check functionality to prevent the exploitation of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.