back to article Avast pulls plug on insecure JavaScript engine in its security software suite

Avast has disabled a component in its Windows anti-malware suite that posed, ironically enough, a significant security risk. The software maker switched off the JavaScript interpreter in its toolkit after Google Project Zero's Tavis Ormandy, and his colleagues, alerted the developer to design flaws in the code. According to …

  1. IGotOut

    Bin Avast..

    ...it's no better than the malware than it pretends to protect you from

  2. Dan 55 Silver badge
    WTF?

    A JavaScript engine running as root

    What could possibly go wrong?

    And why did Avast's finest minds not just laugh hysterically and then say "no" when the person who thought of it first shared their idea?

    1. Pascal Monett Silver badge
      Coat

      Re: A JavaScript engine running as root

      It's another case of rogue engineer. Happens a lot these days.

      1. Mike 137 Silver badge

        Re: A JavaScript engine running as root

        Actually Pascal it's more probably the entire discipline of software development populated by folks suffering from the Dunning Kruger effect. They just aren't aware they don't know what they're doing. Even the NCSC (the UK official cyber security agency) recently made its entire web site a JavaScript app. You can't even see the front page (and thus even the contact details to register an objection) unless JS is enabled.

        The drive to make very web page look like a native application (and, ironically, increasingly every app to look like a web page) hasn't helped either.

        When I started developing for the web (early '90s), we kept three principles in mind:

        [1] do all critical processing server side where you can protect it from misuse

        [2] make all significant content client agnostic so everyone can read it regardless of the tools they're using - the text of any web page should be readable in Lynx.

        [3] allow presentation to degrade gracefully for less competent clients

        All three principles have long been abandoned, resulting in both massive opportunities for malicious actors and exclusion from web resources of anyone who doesn't subscribe to the IT churn (e.g. 70-odd versions of Firefox in 10 years with increasing backward incompatibility and the "deprecation" of PHP functions, breaking existing code).

        The growing mis-application of JavaScript is merely symptomatic of the Dunning Kruger effect. It's probably the only "language" most of them can code in, so they assume it's ideal for everything.

  3. Aristotles slow and dimwitted horse Silver badge

    Avast == security?

    Surely that's an oxymoron. Avast == impossible to fully remove data gobbling malware more-like.

  4. JCitizen
    Pirate

    ARRGGH!!

    Avast ye matey - yer used ta be a fine warrior, ye wuz; but now ye must walk the plank!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020