Earliest adopters of updated program should download again to ensure full security.
Mary Landesman, special to PC World
Friday, August 13, 2004
Just days after Lavasoft launched new versions of its popular Ad-Aware security program, PC World tests revealed a significant security issue that has prompted Lavasoft to quickly to patch the program--but the company's update procedure may leave some customers vulnerable.
Users who are running versions of Ad-Aware SE Plus or SE Pro earlier than the current v1.03, which is available now for download, should redownload their copies of the application. This is Ad-Aware's third update in a week's time, but the most urgent. Simply running the software's Web Update feature--which downloads the latest definition files--will not correct the problem.
Lavasoft posted Ad-Aware SE Plus and SE Pro 1.0, as well as its free version, Ad-Aware SE on August 9. The company revised the release on August 10, renumbering it to v1.02, and addressed the reported hole in its Ad-Watch component with the release of v1.03 on August 13.
With the Ad-Aware SE release, Lavasoft improves the interface and adds many new scanning features. For example, it can now monitor real-time memory processes for anomalies; scans the registry for every user, not just the one who is logged in; provides more aggressive pop-up blocking; and more. The Pro version provides additional support for networks; the free version lacks Ad-Watch, a real-time monitoring component. Ad-Aware SE Pro is priced at $39.95; Ad-Aware SE Plus costs $26.95.
Ad-Watch Dozes Off?
Ad-Aware's Ad-Watch component is designed to monitor for changes to a user's system that might indicate the presence of spyware, and to block such intrusion attempts either automatically or by user preference.
PC World uncovered the hole when testing Ad-Aware SE Plus v1.02 using a collection of spyware that includes hijackers, miscreant code that redirects the user's Internet start and search pages to a host of unsavory sites. Instead of identifying the hijackers, Ad-Watch was strangely silent and failed to report the changes being made to a spyware-critical section of the System Registry.
Because that version of Ad-Watch was not catching the covert action, the hijackers were able to change the preferred start and search pages to undesired sites--including, in one instance, a site recently shut by criminal investigators for distributing child pornography. Also at issue in v1.02 was the Ad-Aware scanner, which neglected to find an infected file installed by the pornographer's hijacker.
Inquiries and documentation sent to Lavasoft were met with confirmation that a serious hole remained in the program's protection features. A fix was delivered within 24 hours.
PC World was testing Ad-Aware SE Plus; Ad-Aware SE Pro also contains the Ad-Watch component. Ad-Aware SE, the free version, lacks the active monitoring feature and is not likely to be affected by this vulnerability.
Lavasoft has declined to comment on PC World's findings, other than providing the updated v1.03.
Fooling the Fix
Lavasoft may still need to address the issue, as the company's quick response may leave as-yet unseen holes unpatched. Subsequent attempts to infect the system with hijackers that modified the start and search pages via the System Registry were appropriately blocked.
However, Lavasoft programmers apparently addressed only simple name recognition based on the logfiles provided by PC World. Ad-Watch is now alerted to the hijackers used in testing; by simply renaming the hijacker's file, we were able to bypass detection by the Ad-Aware scanner.
But Aaron Hulett, chief research officer for Lavasoft, has claimed that while other anti-spyware products may be vulnerable to this trick, Ad-Aware should not be.
"Many [spyware programs] have rotating filenames, or rotating registry information, making some of the other anti-spyware tools ineffective," Hulett writes in a Lavasoft newsletter, The Spyware of Today.
In the same article, Hulett says Ad-Aware software "uses file signatures as its detection basis, and not filename recognition like some other anti-spyware programs out there. It identifies the file, regardless of filename."
Regardless, Lavasoft's update procedure may maintain the hole for many customers.
Users who downloaded Ad-Aware v.1.02, the version distributed between August 9 and August 12 before the Ad-Watch fix was applied, may not get the advice to update. Rather, in a PC World test of v1.02, the product erroneously reports, "No update components available."
Lavasoft posted a notice in its support forum regarding the availability of the 1.03 release, but only users who regularly visit the forum will likely see it. What's more, the post describes the fixes as "minor issues"--which is not how PC World would have described them in a product review.
The timing of a user's purchase of the program may also affect which version is supplied. Lavasoft grants a two-week post-purchase window when customers can download new versions of the product; later upgrades may result in extra fees. Fortunately, anyone who purchases Ad-Aware on or after August 13 gets v1.03 or above--but earlier buyers may not realize they should download yet another version so soon after release.
A product review of Ad-Aware SE Plus is in development and will be posted later on PC World.