New
#1
AVG Breaks Google Chrome Security
This Antivirus Plugin Makes You LESS Secure
AVG has been a trusted name in anti-malware and online security software for decades; over 200 million people have installed the free AVG Antivirus software. But in the last weeks of 2015, it was revealed that one of AVG’s products (apparently deliberately) bypasses critical security components of the Google Chrome browser for no better reason than to promote AVG.
The product is a Chrome extension called “AVG Web Tuneup.” The name itself is misleading; the extension doesn’t “tune up” anything, it just checks URLs against a reputation database and blocks connections to known rogue sites. In any case, when AVG Antivirus is installed it urges the user to let it install Web Tuneup as well. About 9 million Chrome users have done so.
The problem is that AVG doesn’t follow the extension installation process dictated by Google’s developers policy. Google researcher Tavis Ormandy described what happens this way, in a message he posted to a Google security researchers forum.
"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."
Ormandy provided an example of code that could steal authentication cookies from AVG’s Web site, adding that the flawed Web Tuneup “also exposes browsing history and other personal data to the internet” and might very well allow an attacker to execute malware on a user’s machineIf you have AVG Web Tuneup installed, you may want to uninstall it. Click the three-bars icon in the upper-right corner of Chrome. Cursor down to “More tools” and select “Extensions” from the second drop-down menu. Find Web Tuneup among your extensions and toss it in the trash.