AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure (google.com) 170
An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.
Re:*slow clap* (Score:5, Insightful)
Indeed. It's neat to see something surreptitiously installed on Chrome, which is often itself installed the same way.
Wait. Why are we talking about security issues with untrustworthy bundle-ware that replaces your default browser? It's it a given that it's both insecure and will spy on you?
Re: (Score:2)
i recently installed free avg antivirus on my (70 year old) neighbor's laptop. it installed a firefox extension which, if disabled or uninstalled, makes the main avg program complain without end. it did give me a choice to not install the extension during software install but i thought i'd try it and disable/uninstall it if i didn't like it. tough titties! the neighbor is now stuck with a stupid 'avg search' homepage until i find time to visit and reinstall it.
Re: (Score:3)
Re: (Score:2)
so i keep telling him. an elderly gentleman who guilts me into occasional tech support. and like all 70 year olds, he's as stubborn as a mule. i tell him to buy good used laptop A, he lets his grandson pick shitty but pretty laptop B. i install and teach him a simplified ubuntu 8.04 (years ago), he lets his grandson restore vista instead. it's a multi-level clusterf*ck.
Re: (Score:2)
oh that ever-present feeling of knowing everything. i miss being 16.
AVG used to be good and then about 4 years ago (Score:5, Informative)
AVG used to be good and then about 4 years ago it got a lot of bloat
Re:AVG used to be good and then about 4 years ago (Score:5, Informative)
Re:AVG used to be good and then about 4 years ago (Score:4, Informative)
Add in a free MalWareBytes scan every 2 weeks, a good adblocker, and non-ISP DNS and you can't get much better.
If you think you are infected, MalwareBytes anti-root kit, hitman pro, and malwarebytes, and adwcleaner are a good combot to get most stuff out.
Source, I manage a shop that does lots of residential repairs (ie 80% viruses).
Re: (Score:2)
Haven't had much success with hitmanpro, but adwcleaner, JRT, and combofix work quite well, EXCEPT that combofix still hasn't been updated for Windows 8.1 or 10. I'm starting to get nervous as more Win 10 users call for help. Combofix is a really remarkable tool, but I hope it gets clearance for Win 10 soon.
Re: (Score:2)
Re: (Score:2)
Wow - I've never had combofix break anything except the malware it's designed to remove. Occasionally it will fail to remove something.
I usually go for ADWcleaner if it's just scammy "tune your PC" nonsense, but if it's "your PC is infected, call this number to fix it" I'll use combofix. I'll use JRT but only as a backup if I suspect the others haven't worked.
Re: (Score:2)
MSSE is the only one I've found that doesn't cripple your system. My preferred set up is MSSE and some non-real-time scanners, plus making my download directory and browser cache no-execute. Oh, and the usual array of ad blockers and privacy enhancers.
Re: (Score:2)
Re: (Score:2)
I prefer their rescue CD. Because it's Linux based it ignores NTFS permissions and can read every file regardless of protection status. It also avoids being hindered by most rootkits etc since it isn't running on the infected OS. And of course, since you don't install it the bloat is zero.
Re: (Score:2)
MSSE was great, but the catch rate has really fallen off in the past 2 years. For a free AV bitdefender or avira are where it is at. Avira tends to be spammy, while bitdefender is quiet, so there in is my current top of the heap. Add in a free MalWareBytes scan every 2 weeks, a good adblocker, and non-ISP DNS and you can't get much better. If you think you are infected, MalwareBytes anti-root kit, hitman pro, and malwarebytes, and adwcleaner are a good combot to get most stuff out. Source, I manage a shop that does lots of residential repairs (ie 80% viruses).
Reading this, I had no idea how much I enjoy Ubuntu. Thank you for reminding me.
I'm sure that this is how the Tesla owners feel when they hear about somebody replacing a water pump, or a leaky valve cover, or fouled plugs, or a muffler, or a fuel pump, or an ignition coil, or a cam bearing, or an O2 sensor, or a fuel injector, or even doing regular oil changes and yearly smog tests.
Re: (Score:2)
I do the same thing, but It's woefully inadequate. I don't know what will change, but something needs to.
One wrong click and you're grabbing your digital ankles. It's gonna happen.
Re: (Score:2)
it's still better than installing norton, avg or any of that shit though.
Re: (Score:2)
I read MSE sucks too?
Re: (Score:3)
It's been a trend.
Good software found, gets popular, goes horrendously to shit. Everywhere, even the open source world isn't free from this disease. It dates back to Winamp, even earlier.
It's almost like the only software that's trustable any more is abandonware.
Re:AVG used to be good and then about 4 years ago (Score:4, Informative)
AVG and Avast have a combination of bloat, or nags that try to scare you into upgrading to a pay version. MSE, whether or not it's the top in the charts on detection, is a very good option for "set and forget" when dealing with distant relatives.
Re: (Score:2)
Don't run as Administrator (Score:4, Insightful)
My best security tip, don't run as Administrator. Run everything as a limited user, and only install software from ADMIN account. Add in Windows Defender / Security Essentials, add in a Adblock / UBlock type protection and back up your data occasionally (regularly) and you're fine. Worst case I've seen, cleared by deleting said user profile.
The problem is, most people want to run everything as Admin because it is convenient.
Re: (Score:1)
Overrated security tip. I mean - it's absolutely basic, nobody should be stupid enough to run as administrator - but it's also bare minimum. There are still absolute tons of vulnerabilities that have nothing to do with Admin.
All of my data (documents, etc) is accessible to my standard user account, as it rather has to be, and malware could do me way more harm by fucking with that than it could do as root.
Re: (Score:1)
All of my data (documents, etc) is accessible to my standard user account, as it rather has to be, and malware could do me way more harm by fucking with that than it could do as root.
What? No offline backup? You're just asking for trouble...
Re: (Score:2)
and obviously never been hit by CryptoLocker
Re: (Score:1)
Re: (Score:1)
Well, I'm sorry. You have to keep it offline...
ain't no condom strong enough... [youtube.com]
Re: (Score:2)
My best security tip, don't run as Administrator.
Cool story, brah. How would that have any effect at all on the issue at hand?
Re: (Score:2)
It would. It would avoid running AVG invasionware masquerading as Virus Protection.
Re: (Score:2)
It would. It would avoid running AVG invasionware masquerading as Virus Protection.
Except that the issue at hand has nothing to do with running anything as Administrator. It's about the AVG installer installing an insecure Chrome extension.
Re: (Score:2)
Which you won't have to do if you don't run as Admin and use Security Essentials / Windows Defender. As I said, the problem is that people think they need more than that, and they don't.
Re: (Score:2)
Re: (Score:2)
The trade shows were comdex and supercom, way back in 1995. The company went through a re-org, than a renaming, then belly up after I left because I saw they didn't have the hardware expertise to bring the product to market, and it was just one excuse after another for delays that ultimately stretched into the new century. Do you really think I'm going to keep floppy disks from 1995?
And pretty much everything else is covered by NDA, as per industry practice. THOSE businesses haven't gone bankrupt, so you
Re: (Score:2)
Re: (Score:1)
Try and block Akamai with your hosts files fool. Let me know how well that Windows system updates. Don't need to block Akamai? Remember the security updates and security compromises are hosted on the same servers now.
Re: (Score:2)
For fuck's sake, just die already. Go join ISIS or something more in tune with your fanaticism.
Avast does that also (Score:3)
No idea if the Avast plugin is crappy or well-written or what, but it also tried to install itself on my Chrome and Firefox.
Fortunately Firefox had the good sense to ask me,
"An external program has tried to install something (lists the program). Do you really want to install this plugin?"
I said No.
Chrome didn't say anything, and I assume it was installed. Don't really care since I only use Chrome about once a month for sites that crap out in Firefox.
Re: (Score:2)
Re: (Score:2)
To be fair, from the summary: "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API."
Sound like they specifically targeted Chrome to go around those checks, but either Firefox does a better job at stopping unauthorized installs or they did not bother to do the same with Firefox.
Slashdot breaks Chrome, nobody can comment (Score:2)
Dear Slashdot admins,
Since subject of Chrome has come up, please beware that either Slashdot or Chrome change has broke ability to comment using this combination. Any attempt to submit the comment says that I couldn't prove I am human, while similar action on, say, Safari works perfectly.
Happy holidays and please take a look at this at your earliest convenience. I am using current stable Chrome on MacOSX 10.11.2, and the browser works well on other sites.
Re: (Score:1)
AVG Was Once A Great Product... (Score:2)
...then new owners decided they're in it for the money, not customer satisfaction and a reasonable profit. So, I didn't see this; I've already migrated all my clients to Webroot...cheaper, better, and without all the self-serving pop-up messages or uninvited "adds-on" to other products and the O.S.
Webroot is a good product, albeit underdocumented (what is it with all these security companies who think their products don't need or shouldn't have Admin or User documentation???).
The answer here is really simple. (Score:2)
Don't use "Tune Up" type products.
Most of the time they don't do JACK SHIT.
And in the few instances where they might actually improve performance, they're likely compromising either system/application security/stability.
Plus, they're installing this additional crapware and hijacking your browsers.
FUCK.
THAT.
NOISE.
AVG: (Score:1)
Re: (Score:2, Informative)
" in fact you can't even buy one for linux"
That's completely BS, but you're right about one thing... "install ... whatever OS you want", even Windows and OS X.
Pretty much the rest of your post is wrong too.
Re: (Score:2)
IBM doesn't even make i86/ia64/etc compatible computers anymore. They sold that off to the Chinese company that bought Lenovo YEARS ago. IBM used to love OS/2, aka CONCENTRATED EVIL. I think I'll forgo IBM's opinion on the matter.
Re: (Score:1)
IBM doesn't even make i86/ia64/etc compatible computers anymore. They sold that off to the Chinese company that bought Lenovo YEARS ago. IBM used to love OS/2, aka CONCENTRATED EVIL. I think I'll forgo IBM's opinion on the matter.
OS/2 was a pretty decent system, better than Windows at the time IMNSHO, and possibly even today. But when IBM wholesale changes their employees systems away from Windows, you have to ask yourself exactly why, especially when Macs are reportedly so darn expensive (that's a hopefully dead meme by now, while you can buy a cheaper windows machine with much lower specs, equivalent machines are more than competitive) You should also ask yourself why IBM would do so just when the next greatest OS release from MS
Re: (Score:2)
You should also ask yourself why IBM would do so just when the next greatest OS release from MS was about to drop, complete with its "live update" process that you can't opt out of.
Are you saying IBM's IT department was too stupid to use WSUS or even to set delayed updates through GPO and use another solution?
Yes, updates are forced on Windows 10 Home users, as it has been proven time and again that they are incapable of managing updates. Don't like the automatic updates, spring for the Pro edition or setup a domain.
Re: (Score:1)
You should also ask yourself why IBM would do so just when the next greatest OS release from MS was about to drop, complete with its "live update" process that you can't opt out of.
Are you saying IBM's IT department was too stupid to use WSUS or even to set delayed updates through GPO and use another solution?
Yes, updates are forced on Windows 10 Home users, as it has been proven time and again that they are incapable of managing updates. Don't like the automatic updates, spring for the Pro edition or setup a domain.
I guess you didn't read the policy pieces where MS said yes, you can delay updates, but only for 3 months, max? That has since been extended to a max of 12 months due to massive backlash, but you will update, whether you want to or not if you're running Win10. You no longer own your own installation, MS does. You only get to manage the delays for updates within a 12 month window. That would be concerning to any business, IMNSHO.
Re: (Score:2)
Mostly to prove it can be done, I used Windows for years without any live running AV application. I even did it without a third party software firewall and used only NAT connectivity with the router handling DHCP. I would scan, once in a while, with MBAM or similar. I would check Wireshark once in a while and look for activity that I did not recognize in the logs.
It's possible. It's not even all that difficult, just don't be stupid. This was not, of course, Windows 10. I blocked scripts and whitelisted them
Re: (Score:2)
Re: (Score:1)
Mostly to prove it can be done, I used Windows for years without any live running AV application.
I've done the same, except I used an extremely pared down version, with almost no services running. IIRC, I was down to about 13 running processes at startup. System worked fine, only running 3rd party software. I ran no MS software on it at all. Most of all - no Windows Update. That virus downloads all kinds of crap I didn't need or want. With this setup, you don't even need a firewall, as no ports are open. After 3 years and an offline virus scan, no viruses or malware found. It should also be mentioned t
Re: (Score:1)
Yeah, that's a very valid addition. If you're not using services then turn them off. Err... It's been a while but I think you loaded that with just services.msc from the prompt. If you don't know what the service is, use a search engine. You can use manual and, well sometimes, it will start the service when you do something that invokes the service or you can disable it.
As for Linux... Well, I think I tried *all* of them. Not quite but every single one in the top 20 at DistroWatch. Plus a bunch more. VM on
Re: (Score:2)
Yes, in fact you can't even buy one for linux.
Avast Anti-Virus for Linux. [avast.com] Purchasable for $199 per server per server.
Re: (Score:2)
There is no virus other then proof of concept for Linux.
Of course there is [freedesktop.org].
Re: (Score:2)
I was thinking you would link to a Bash script that just does an obfuscated "rm -r /" or "dd -i /dev/random -o /dev/sda1"
(I think I have that dd correct, not really a big user of dd, and don't feel like looking it up)
Re: (Score:2)
Any anti-virus for linux you can buy just checks files or emails for malicious content. Its not really comparable to the type of anti-virus offered for windows.
Re: (Score:2)
Wrong [sophos.com]. Wanna try again?
Re: (Score:2)
Seems you won, they mentioned the term "developer workstation".
Re: (Score:2)
Good man. You know why. Not many of us are comfortable admitting our mistakes and learning from them. It's something I pride myself on and post lots of things hoping that people will make me find my own logical inconsistencies or to otherwise learn from them.
That said, yeah, you can buy AV for Linux. I'm not actually sure why you'd want to (unless you're worried about something in WINE getting infected or might be responsible for handing files off to others who might be infected. If I could pick one applica
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
LOL, she is less of a psycho stalker than you apparently, as you chose to interject on a totally unrelated thread about her.
Also, APK, you are the AC stalker extraordinaire, who are you to try and claim that she was AC stalking you?
There is good reason for people to post AC in response to you. You take every and all criticism personally, and won't admit when you are wrong. You also spam flood any dissenting opinions, even when every one of your points has been refuted. You are the ultimate in psychopathi
Re: (Score:2)
Wow, just wow. As I pointed out, I ONLY mentioned our previous arguments as counter-proof to another poster who claimed that slashdot engages in the practice of deleting posts. You chose to take that as an attack when in the given context it clearly wasn't. You have to admit that if slashdot had a policy of deleting comments, many of yours would be at the top of most users' lists. Okay, I get it, you mistook what I wrote as singling you out and decided to throw rocks again, and I'm sorry for the misundersta
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I'm sure the ClamAV guys will sell it to you if you want to pay.
Re: (Score:2)
Its a virus scanner, and follows the unix philosophy. Its not a rootkit like monolith that does some opaque processing in the background, installs plugins for every browser showing right to each link whether its safe (why can't it just simply warn if you try to click such a link?!), nor does it annoy you with update popups, or even block non-malicious software (yes, people I know quite a few false positives, and its just impossible to add exceptions for those programs). It really can't be called anti-virus.
Re: (Score:2)
Trollololol.
Re: (Score:2)
Than get Trend Micro Server protect. Trend Micro's virus scanner on Windows installs plugins into browsers as well, but it works as you describe. I doubt their Linux virus scanner does the same thing, as Linux is thought of as a server OS only by them.
http://www.trendmicro.com/us/e... [trendmicro.com]
It doesn't matter what Linux compatible virus scan you choose, it is your choice.
https://www.linux.com/news/sof... [linux.com]
Re: (Score:1)
Re: (Score:2)
Yes, I admit, my solution is violating kant's categoric imperative (only do stuff that can be basis for an universal law).
In fact, some aspects of linux are worse security wise than on windows. But as linux operating systems are open source, security researchers can freely improve the security of the system: you don't have to eat one entities dog food. Just look at wayland and the xdg-app idea for improvement in these areas.
Re: (Score:2)
Re: (Score:2)
Anti-virus software for linux is just used on mail or file servers, to check the content they handle. It does not check the health of the host system.
Re: (Score:2)
You can get symantec also and it's needed because there are virus written for linux. Granted many of them are intended to infect ftp, web, and mail services which you probably aren't running on a workstation, although if the steam machine really takes off that may change and we may start seeing more.
Re:Security theater (Score:5, Interesting)
The last company I worked for before retirement had several Linux workstations that I admin'ed. The word came down from on-high that, going forward, we would have to run the Linux version of McAfee AV, being that McAfee was the decreed AV for all of our Windows systems. Being that the Windows enterprise version of McAfee, at the time (2010-ish) was a steaming pile of cow manure, I'll give you three guesses what the Linux version was... Hard to believe ANYthing could be worse than the Windows version, but there it was... I certainly could understand having an AV on Windows, but complaints about...WHY THE $#%$% DO WE HAVE TO HAVE AN AV on Linux fell on deaf ears... But I'm retired now and my Linux systems have no such requirement...
Re: (Score:1)
This is a browser extension vulnerability, not an OS vulnerability, two different things. On top of that, you're telling people to install a completely new OS which they wo
Re: (Score:2, Insightful)
Windows encourages the behaviour of downloading stuff from the net and, executing the msi or exe installer, then giving it admin access.
Linux has specific package managers for this, with software for almost all things you need. I have only very few stuff on my box that doesn't come from my ubuntu package manager.
Yes, linux isn't the solution for everything, but the fact that if every uses linux then linux is targeted by attackers and the situation is as bad or worse on linux doesn't make the other fact wron
Re: (Score:2)
Yes, in fact you can. AV corporations know that in spite of the lack of threats, AV protection is still a checklist item for any piece of IT gear going into some organizations. That's why not only can you buy it, but it's usually a pricey package with "Enterprise" in the name.
Re: (Score:2)
" And if you really need windows for some program or so, start it in a VM, not connected to the internet. Problem solved."
Yes. That works really well for A-list games. Oh wait. It doesn't work at all.
Try a solution that Richard Stallman wouldn't suggest. Hmm?
Re: (Score:2)
" And if you really need windows for some program or so, start it in a VM, not connected to the internet. Problem solved."
Yes. That works really well for A-list games. Oh wait. It doesn't work at all.
Try a solution that Richard Stallman wouldn't suggest. Hmm?
Do you really believe Stallman would suggest this? Hahahahahahahahaha.
Re: (Score:1)
I agree with you. Terribly bloated these days. I had all my clients using AVG for Business for 10 years. Finally switched them all to another product this year. AVG's support is a joke too. I used to recommend them to everyone. Now I recommend everyone find something else.
Re: (Score:2)
Remember when AVG was an actually good product?
No, I remember when it took over the MBR back in Windows 98-2000, which could result in an impossible to remove installation. It has always been an officious piece of shit.