Google Finds Security Holes In Browsers

Google Engineer Finds Holes in Three 'Secure' Browsers

They all used Google's Chromium browser and made it less secure.

Matt Brian | February 4, 2016

It appears no anti-virus or security software is safe from Google Project Zero researcher Tavis Ormandy. After recently exposing holes in products from Trend Micro and AVG, the bug hunter has recently gone public with three issues found in software offered by security firms Avast, Comodo and Malwarebytes that allow attackers to access unsuspecting users' PCs.
For Avast, Ormandy identified that its Avastium browser (a fork of Google Chromium) allowed an attacker to "read any file on the filesystem by clicking a link." The exploit involved using a specially-crafted JavaScript web page that could bypass built-in checks and potentially allow a malicious party to read cookies and email. The issue was first disclosed on December 8th, but Avast released a patched version of its browser on February 3rd.

For the second year running, Oracle leads the pack, with 514 security vulnerabilities reported. A significant increase from 424 vulnerabilities discovered in 2012. Java alone had 193 vulnerabilities, with more than 100 of them ‘critical’. Source: http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/

<more at http://www.engadget.com/2016/02/04/tavis-ormandy-chromium-bug-hunter/; related links: https://blog.malwarebytes.org/news/2016/02/malwarebytes-anti-malware-vulnerability-disclosure/ (Malwarebytes Anti-Malware Vulnerability Disclosure. February 1, 2016) and https://www.malwarebytes.org/secure/ (Malwarebytes Bug Bounty
and the Coordinated Vulnerability Disclosure Program website)>