A company called Comodo has a full-service internet security suite available for your PC. Among other tools, this suite includes a tweaked version of Chromium called Chromodo. The tweaks are all meant to tie Chromodo into the total security suite and make it safe and more secure than a normal browser. According to Googler Tavis Ormandy, however, the software automatically sets Chromodo as your default browser upon installation. It also imports all your settings and logins from Chrome, hijacks your DNS settings and changes your browser-related shortcuts, “among other shady practices”. On top of that, an addon to the Chromodo browser sports some major security flaws that seem to literally disable all internet security and could leave users open to all sorts of attacks and exploits.
One of the biggest points of iffy security is that the addon disables a Chrome setting that allows two web scripts to interact only if they’re from the same site. Signature protection is also gimped, allowing self-made, non-verified signatures to be approved and run like normal. Essentially, this means that any attacker can self-sign something or run a man in the middle script over your connection. Once they’ve done that, they can run just about any code they like. This can open users up to all sorts of nasty business such as full takeovers, information and file stealing, scareware and trojans or a disgruntled hacker disabling a user’s computer just for kicks.
Not long ago, Comodo was found to be running their own man in the middle script in their suite that subverted signature protection and allowed similar shenanigans. That was since fixed. After reporting this newest bug via Google Code, Comodo announced they would release a new version of their suite without the browser addon that had caused all the trouble. As promised, this was released on Wednesday. If you happen to use Comodo and its Chromodo browser, it may be a good idea to update both immediately, if you haven’t already. According to Comodo, the update was pushed to all current users and is already live for download for any new users.