It appears no anti-virus or security software is safe from Google Project Zero researcher Tavis Ormandy. After recently exposing holes in products from Trend Micro and AVG, the bug hunter has recently gone public with three issues found in software offered by security firms Avast, Comodo and Malwarebytes that allow attackers to access unsuspecting users' PCs.
It's a similar story for Comodo's Internet Security software and its Chromodo browser. When users install the software suite, their existing Chrome installation is replaced with Comodo's own. It was meant to be "private," but it wasn't. When it's executed, "all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices," notes Ormandy.
While Chrome operates a same-origin policy, which ensures that only scripts from the same website can access from each other, Chromodo disabled that protection and left users open to having their private data sniffed by malevolent websites. However, eWeek reports that the fault wasn't with the browser, but an add-on. Comodo director Charles Zinkowski says the company released a new version of the browser without the add-on on February 3rd, which has fixed the issue for all users.
In the case of Malwarebytes, Ormandy found that its Anti-Malware browser wasn't downloading updates securely, which could leave users open to a man-in-the-middle attack. An attacker could mimic the company's built-in checks and run their own code on a user's machine. The issue was severe enough for Malwarebytes CEO Marcin Kleczynski to address it on the company blog, but it could take up to four weeks for them to fix it.
Google's Project Zero discloses vulnerabilities from companies that use the Chromium browser to launch their own secure browsers. The browsers tend to ship alongside anti-virus software and the temptation for vendors is to overwrite users' existing settings to better protect them. As you can see, those methods often disable protections within the browser, leaving some users more vulnerable than before they installed the security tool.