Security News > 2020 > June > Three words you do not want to hear regarding a 'secure browser' called SafePay... Remote. Code. Execution
Folks running Bitdefender's Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug.
Palant said the vulnerability was within a component called Online Protection within that suite, meaning it could be exploited by any website opened in any browser on any computer running Bitdefender's vulnerable antivirus package.
At the heart of the matter is the way Bitdefender's code handles pages fetched via HTTPS. "Occasionally their product will have to modify the server response, for example on search pages where they inject the script implementing the Safe Search functionality," Palant explained.
The first page with the good certificate could then use XMLHttpRequest to fetch the contents of the error page, which your browser would hand over.
"Improper input validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process," the biz acknowledged.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/06/24/bitdefender_safepay_rce/