Hello Avast fans!
It is my pleasure to officially announce the new Avast bug bounty program. As a security company, we very much realize that security bugs in software are reality. But we also realize that companies that are able to use their user communities to find and fix bugs are generally more successful that those that don’t. Therefore, we have decided to reward individuals who help us find and fix security-related bugs in our own software. This makes us probably the first security vendor with a reward program like this: I think it’s mainly because the other companies generally take the position that ‘Hey, we’re a security company. So we know security and it can’t happen to us.’ But in reality, that’s not what’s happening. Just look at bugtraq or the CVE databases and you will find that security software is no more immune to these issues than any other programs. A bit of irony, given that people generally install security software to fight security issues in the first place, isn’t it?
We at Avast take this very seriously. We know that being a market leader (Avast has more users than any other AV company in the world), we’re a very attractive target for the attackers. So, here’s our call to action: let’s unite and find and fix those bugs before the bad guys do!
Here’s how it works:
- The bounty program is designed for security-related bugs only. Sorry, we’re not paying for other types of issues like bugs in the UI, localization etc. (nevertheless, if you find such a bug, we will of course very much appreciate if you report it).
- This program is currently intended only for our product, i.e. not the website etc.
- We’re generally only interested in these types of bugs (in the order of importance):
- Remote code execution. These are the most critical bugs.
- Local privilege escalation. That is, using Avast to e.g. gain admin rights from a non-admin account.
- Denial-of-service (DoS). In case of Avast, that would typically be BSODs or crashes of the AvastSvc.exe process.
- Escapes from the avast! Sandbox (via bugs in our code)
- Certain scanner bypasses. These include include straightforward, clear bypasses (i.e. scenarios that lead to direct infection, with no additional user input), as opposed to things like deficiencies in the unpacking engine etc. In other words, we’re interested only in cases that cannot be mitigated by adding a new virus definition (please don’t report undetected malware)
- Other bugs with serious security implications (will be considered on a case by case basis).
- The base payment is $200 per bug. Depending on the criticality of the bug (as well as its neatness) the bounty will go much higher (each bug will be judged independently by a panel of experts). Remote code execution bugs will pay at least $3,000 – $5,000 or more.
- We might change these ranges based on the number and quality of incoming reports. Generally, the less reports we will get, the higher the bounty will go.
- We will only pay for bugs in Avast itself. For example, if you find a bug in a Microsoft library (even if it’s used by Avast), please report it to Microsoft instead (it would be great if you could also notify us, but unfortunately, we cannot offer any reward in such cases).
- The program is currently limited to consumer Windows versions of Avast (i.e.: Avast Free Antivirus, Avast Pro Antivirus, and Avast Internet Security). Only bugs in the latest shipping versions of these products will be considered.
- Payment will be done preferably by PayPal. If you can’t accept PayPal (e.g. because it doesn’t work in your country), please get in touch with us and we will try to figure out something else.
- Because of certain legal restrictions, we cannot accept submissions from the following countries: Iran, Syria, Cuba, North Korea and Sudan.
- It is the researcher’s own responsibility to pay any taxes and other applicable fees in their country of residence.
- In order to be eligible for the bounty, the bug must be original and previously unreported.
- If two or more researchers happen to find the same bug, the bounty will be paid only to the one whose submission came in first.
- You must not publicly disclose the bug until after an updated version of Avast that fixes the bug is released. Otherwise, the bounty will not be paid.
- The bounty will be paid only after we fix the issue (or, in specific cases, decide to not fix it).
- Some bugs may take longer to correct. We will do our best to fix any critical bugs in a timely fashion. We appreciate your patience.
- Employees of AVAST and their close relatives (parents, siblings, children, or spouse) and AVAST business partners, agencies, distributors, and their employees are excluded from this program.
- We reserve the right to change the rules of the program or to cancel it at any time.
How to report a bug and qualify for the bounty:
- Please submit the bug to a special email address firstname.lastname@example.org
- If you’d like to encrypt your email (recommended), please use this PGP key.
- A good bug report needs to contain sufficient information to reliably reproduce the bug on our side. Please include all information that may be relevant – your exact environment, detailed bug description, sample code (if applicable) etc. It also needs to contain a decent analysis – this is a program designed for security researchers and software developers and we expect certain quality level.
- You will receive a response from an Avast team member acknowledging receipt of your email, typically within 24 hrs. If you do not receive a response, please do not assume we’re ignoring you – we will do our best to follow up with you asap. Also, in such a case it is possible your email didn’t make it through a spam filter.
Finally, I’d like to say thanks to everyone who helps to find and fix bugs in our products. Hopefully, this new reward program will take this initiative to a whole new level.
P.S. The bug bounty rules are also available on our main website here.
The Avast Research Lab is where some of the Avast’s brightest brains essentially create new ways of detecting malware. These are either features inside the product (such as FileRep and autosandboxing, including all of its recent development) as well as components that run on our backend – i.e. things that users don’t necessarily see but that are equally important for the overall quality of the product.
In fact, working on the backend stuff takes up more of their time these days, as more and more intelligence in Avast is moving to the cloud and/or is being delivered in almost real time via the avast! streaming update technology. Read more…
Today, we have released a brand new avast! program update, version number 7.0.1473. It’s the last program update we plan to do before version 8 (slated for Q1 2013). I’d like to take this opportunity and explain some of its new features.
First and foremost, the new version is fully compatible with Windows 8 – scheduled to finally hit the stores this Friday. The changes we have made went well beyond just making sure everything works. For example, we had to replace the internals of the Network and Web Shields to accommodate the new networking APIs in Windows 8. Also, we had to make sure avast! plays nicely with the new Windows Security Center and that it correctly handles certain scenarios that are new to Windows 8.
This version of avast! will shortly be officially certified with the Windows 8 Compatible logo, and will be included in the new Windows Store.
avast! Free Antivirus just earned another VB100 award, this time in the August 2012 Virus Bulletin comparative review for Windows 7 – with a perfect score of 100%.
According to the review, avast! “routinely elicits warm, affectionate smiles from the test team, with this month’s submission promising more of the same.” As well, we were told that “Avast earns another VB100 award fairly easily” in this case.
We offer much thanks to our beta testers, our developers, and our QA team for all their hard work in making software that is easy to stand behind.
A list of other awards and certifications earned by avast! in recent years can be found here: http://www.avast.com/awards-certifications (incomplete list)
Last week, Amazon announced its new Kindle line up. There’s a lot being said about the red-hot competition between the Kindle Fire, the iPad, Google’s Nexus tablet, and Microsoft’s Surface tablet. But what drew my attention most of all was Amazon’s announcement about greater parental controls. The new Kindle Fire tablets will include an app called Kindle FreeTime for enhanced parental controls.
Parental controls on the Kindle took a big step forward this past May with the 6.3.1 release, adding the ability to password protect purchases and disable access to specific content. Amazon’s Kindle FreeTime app goes further, allowing parents to set time limits based on the type of content their children are viewing, such as games or videos. It will also support setting different policies for different children.
The first of these devices is not available until Sept 14. Judging from the commentary on the Web, there’s a lot of interest in these features, but at this stage there are also a lot more questions than answers.
- Will the Kindle FreeTime app be available for v1 Kindle Fire tablets? That’s unclear.
- Will it support time-of-day restrictions, such as “no games after 8pm”, as well as total activity time? The answer seems to be No.
- What about filtering by age-appropriateness of content, not just by content type? There’s no indication Amazon will have this.
- Will the time controls also cover books, for those parents whose kids read too much or too late into the night? No. Apparently Jeff Bezos thinks that there’s never too much of a good thing when it comes to reading, even if it’s at the expense of homework or a good night’s sleep.
- What about parental controls for the “classic” Kindle readers? Sorry, you’re out of luck. Go buy a new Kindle Fire…or put it on your Amazon Wish List
As a parent of a 12-year old girl, one who buys too many Kindle books in general and who, lamentably, has begun to gravitate towards literary content more appropriate to a 16 year old, I find Amazon is not providing me with the controls and oversight I would like. But for my 10 year old boy who is content spending his entire day hunting zombies, Kindle FreeTime is completely sufficient.
What are your feelings about parental controls for Kindles and other tablets? What works for you? Have you found any good ways to limit or monitor your child’s activities? What are your wishes or frustrations with the devices as a parent?
Those of you who manage Windows servers and endpoints for SMBs or enterprise will be interested to read the latest review of avast! Endpoint Protection Suite from eSecurity Planet. Technology journalist Paul Rubens looked into the nuts n’ bolts of our business product and found the same award-winning multi-layered protection approach as the consumer products –with the addition of server protection and a choice of two central management consoles, Small Office Administration or Enterprise Administration.
The web-based Small Office Administration console is designed for companies with up to 200 end users. Unskilled administrators have a user-friendly central window which controls all functions of endpoint and server security. Despite its simplicity, it offers remote installation and updates of endpoint software, scanning and remote running of scan jobs, and virus activity reporting. There’s also an auto-discovery of new/unprotected or “rogue” machines connected to your company network.
The Enterprise Administration console is accessed as a Windows application and offers sophisticated functionality for skilled IT staff. Admins manage devices organized in a hierarchical tree structure based for example, on the geographical or organizational structure of their network, which makes it possible for them to assign administration access rights and policies. It also includes customizable alerting so they can receive a warning by email regarding activity on your network that warrants their attention.
Few years back a group of bad guys from Estonia had neat idea how to get between you and the sites you want to visit on internet. They created malware which was named by AV companies DnsChanger. The main purpose of the malware was to change DNS servers your computer uses for the name to ip address translation to the servers operated by the criminals. This way they can intercept your traffic and eventually monetize it. The gang was later arrested and the servers confiscated by FBI. And there lies the problem, because FBI was ordered by the court that they must turn off these servers on Monday July 9th 2012. There are still about 300 000 computers around which are using the wrong DNS servers, so although the probability you’re one of them is quite low, it’s better to be safe than sorry and check if it may concern you.
The new version is 7.0.1451 and contains the following totally new features:
- WebRep now supports Opera
- SiteCorrect module for the detection of unwanted websites
And, in addition to the new features, our developers have made the following modifications:
- Changes in the AutoSandbox module
- Outlook plugin redesign
- Windows 8 compatibility updates
- Emergency Updater
- Improvements to Remote Assistance (support for UAC prompts, etc.)
- Improvements to avast! SafeZone™ (protection against kernel-mode keyloggers, updated SafeZone Browser, clipboard sharing, etc.)
We offer very special thanks to our developers, our QA team, and most importantly our loyal users, who have for many years provided us with great constructive feedback. Anyone can complain, but avast! users consistently amaze us with their new ideas.
For more technical info, please visit http://forum.avast.com/index.php?topic=100247.0
For the millions of you who have avast! already installed, just open your avast! control panel, then go to Maintenance -> Update Program
Or, you may download the new update file directly here http://files.avast.com/iavs5x/avast_free_antivirus_setup.exe
Yesterday, LinkedIn started investigating a password leak, followed by online dating site eHarmony, and now online music streaming site LastFM has announced on their blog that they too are investigating the leak of user passwords. As a precautionary measure, they are advising all their users to change their passwords immediately. You can do that here.
Yesterday, a Russian hacker reportedly stole 6.5 million LinkedIn passwords and 1.5 million passwords from eHarmony. It is not yet known if the hacking incidents are related.
It’s worth repeating the password tips my colleague Jindrich Kubec wrote in an earlier blog post.
A simple 5 step procedure for creating new passwords:
- Avoid anything ‘personal’ such as names and birth dates – see this list for examples of passwords to avoid
- Avoid overly complex passwords as you don’t want to write them down
- Don’t reuse passwords anywhere – leaks will happen in the future and you don’t want a single leak giving the bad guys keys to all the online services you use
- Longer passwords are always better
- Beware the phishers: always ensure you’re doing sensitive operation on the legitimate site, under a secure and verified connection. I’d also recommend never clicking on links in emails to update sensitive information Instead, manually enter the site and make changes.
Yesterday, password databases from two popular websites were leaked in an underground forum popular with computer hackers. 6.5 million passwords from LinkedIn and a further 1.5 million passwords from internet dating site eHarmony were divulged following attacks on these sites.
LinkedIn has already acknowledged the leak, and have said they are changing the algorithm for storing sensitive data and will email users instructions on how to reset password.