Avast Antivirus enables the entire Microsoft PKI for Firefox

[Adrian R]

Hello

Today, as part of an "upgrade" to version 19.5 Avast Antivirus has forcefully enabled the entire Microsoft PKI for all Firefox users that also happen to be users of Avast [Free] Antivirus.

They now forcefully set this Mozilla enterprise policy for all users of Avast:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates
"ImportEnterpriseRoots"=dword:00000001

And this causes Mozilla Firefox to trust all the root certificates in the Windows store... but with a bug: Firefox ignores the local revocation info for root certificates and thus considers revoked root certificates as being valid.


Related Mozilla bugzilla bug id: 1553233

*sigh*

~~~~
Adrian R.

[Wayne Thayer]

On Tue, May 21, 2019 at 12:59 PM Adrian R via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Hello
>
> Today, as part of an "upgrade" to version 19.5 Avast Antivirus has
> forcefully enabled the entire Microsoft PKI for all Firefox users that also
> happen to be users of Avast [Free] Antivirus.
>
> They now forcefully set this Mozilla enterprise policy for all users of
> Avast:
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mozilla\Firefox\Certificates
> "ImportEnterpriseRoots"=dword:00000001
>
> And this causes Mozilla Firefox to trust all the root certificates in the
> Windows store...

That is not my understanding of how this setting works: it only imports
roots that have been added to the Windows root store, e.g. by a program
such as Avast, or an administrator. It does not import roots Microsoft
ships with Windows.

[Adrian R]

Wayne Thayer wrote:
>
>
> That is not my understanding of how this setting works: it only imports
> roots that have been added to the Windows root store, e.g. by a program
> such as Avast, or an administrator. It does not import roots Microsoft
> ships with Windows.
>

The problem is that if a root certificate is revoked locally by:
- exporting it from any place in the windows certificate store,
- adding it to the Untrusted Certificates store
- keeping it untouched in the initial store where it was exported from ...
Firefox considers that certificate as valid when it should consider it as revoked.
Windows considers such a certificate to be revoked.


With Avast antivirus it's not possible to delete their MITM scanner certificate because they will re-create another if i delete it, but they allow it to be revoked and stay revoked.

~~~~
Adrian R.

[Wayne Thayer]

On Tue, May 21, 2019 at 1:23 PM Adrian R via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> Wayne Thayer wrote:
> >
> >
> > That is not my understanding of how this setting works: it only imports
> > roots that have been added to the Windows root store, e.g. by a program
> > such as Avast, or an administrator. It does not import roots Microsoft
> > ships with Windows.
> >
>

> The problem is that if a root certificate is revoked locally by:
> - exporting it from any place in the windows certificate store,
> - adding it to the Untrusted Certificates store
> - keeping it untouched in the initial store where it was exported from ...
> Firefox considers that certificate as valid when it should consider it as
> revoked.
> Windows considers such a certificate to be revoked.
>
>

There is a big difference between importing the entire Windows root store
and thus effectively overriding Mozilla's trust decisions, and importing
roots added by an antivirus program, so I wanted to clarify that.

The bug that you filed (thanks!) should address the revocation issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=1553233