Well-known researcher Tavis Ormandy, a member of Google's Project Zero team, also released a tool to simplify the analysis of vulnerabilities in the emulator, according to a couple of tweets by Avast.
This runs unsandboxed as SYSTEM, any vulns are wormable pre-auth RCE on 400M endpoints ¯\_(ツ)_/¯https://t.co/vGrfke7fPd ? pic.twitter.com/gk1VpvHQ16
"Today, [Wednesday AEDT] to protect our hundreds of millions of users, we disabled the emulator," the company said.
It added that the functionality of its A-V product would not be affected as it was based on multiple layers of security.
And another said: "Your engineers placed an unsandboxed JS interpreter, running untrusted code by design, inside your highly privileged AvastSvc.exe process.
"This is not some unfortunate, easily overlooked bug, this is proof of utter incompetence regarding basic security architecture."
A third individual agreed with this post, writing, "I totally agree. And you think anybody gives a s***? The world is a bitch and they will continue selling it. Ffs. Security doesn’t run the world :)."
Avast was in the news last year and again in 2018 over issues with its CCleaner application; last year, attackers breached its internal network to get to the application while in 2018 the CCleaner app was compromised and used to spread malware.
At that time, the company made numerous posts on its public blog, explaining each development as it came to light. But over the Ormandy issue, the company has not published any blog entry.
@natashenka is the Twitter handle for Nalalie Silvanovich, another member of the Google Project Zero team.
The vulnerability report they mention wasn't just me, it was a Project Zero collaboration with @natashenka ???
I think this is the right decision, it was a *lot* of attack surface. https://t.co/iFyry17HD0
"I think this is the right decision, it was a *lot* of attack surface," Ormandy added.