Comodo Internet Security Installs New Browser by Force, Disables All Web Security
[h3]Comodo Internet Security Installs New Browser by Force, Disables All Web Security[/h3]
[bold]Developers have exposed the fact that Comodo Internet Security is actually a security threat for anyone using it. It’s using a really aggressive marketing practice that forces the installation of a new browser and replaces many of the user’s settings.[/bold]
When you say Comodo Internet Security, you think about something that will provide users with enhanced security, but it turns out that it’s yet another bundled package that forces the installation of a new browser named Chromodo.
Let’s assume for a moment that that makes sense. The package is named Comodo Internet Security so maybe installing a new browser that’s “secure” is the right thing to do. Unfortunately, this is not the case and the Google security researcher Tavis Ormandy posted a worrying bug entry that explains why Comodo Internet Security is a really bad thing.
[bold]Disabling web security by default[/bold]
As the name implies, Chromodo is based on Chromium, and that’s why we see a bug entry on Google’s website. The security issue is not even the only problem. It turns out that Chromodo also imports everything from Google Chrome, replaces shortcuts, and hijacks DNS settings.
“When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices. It actually disables all web security. Let me repeat that, they ***disable the same origin policy***…. ?!?..” Tavis Ormandy explained.
From the discussions that followed, it seems that the Comodo team took a long time to answer, and when they did issue a fix, it was a poor one that can be easily bypassed.
As usual, this bug was under the 90-day disclosure deadline, which means that Comodo has been informed about this issue three months ago and did nothing. Now the bug entry is public, and anyone can see it.