14 DAY TRIAL // Developers have exposed the fact that Comodo Internet Security is actually a security threat for anyone using it. It's using a really aggressive marketing practice that forces the installation of a new browser and replaces many of the user's settings.
When you say Comodo Internet Security, you think about something that will provide users with enhanced security, but it turns out that it's yet another bundled package that forces the installation of a new browser named Chromodo.
Let's assume for a moment that that makes sense. The package is named Comodo Internet Security so maybe installing a new browser that's "secure" is the right thing to do. Unfortunately, this is not the case and the Google security researcher Tavis Ormandy posted a worrying bug entry that explains why Comodo Internet Security is a really bad thing.
Disabling web security by default
As the name implies, Chromodo is based on Chromium, and that's why we see a bug entry on Google's website. The security issue is not even the only problem. It turns out that Chromodo also imports everything from Google Chrome, replaces shortcuts, and hijacks DNS settings.
"When you install Comodo Internet Security, by default a new browser called Chromodo is installed and set as the default browser. Additionally, all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices. It actually disables all web security. Let me repeat that, they ***disable the same origin policy***.... ?!?.." Tavis Ormandy explained.
From the discussions that followed, it seems that the Comodo team took a long time to answer, and when they did issue a fix, it was a poor one that can be easily bypassed.
It turns out that many other companies selling security-related software are doing some really shady things with their applications. For example, AVG AntiVirus forcibly installed a Google Chrome extension that added many JavaScript APIs to hijack search settings and the new tab page.
As usual, this bug was under the 90-day disclosure deadline, which means that Comodo has been informed about this issue three months ago and did nothing. Now the bug entry is public, and anyone can see it.
Selling antivirus doesn't qualify you to fork chromium, you're going to screw it up. https://t.co/Dd0sqhRxwi #antivirus #wtf — Tavis Ormandy (@taviso) February 2, 2016
Comodo pushed out a fix for one of the vulns I reported, but botched the fix badly. This is going to take a while folks. #antivirus #wtf — Tavis Ormandy (@taviso) January 30, 2016