Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Chrome Security

AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure (google.com) 170

An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.
This discussion has been archived. No new comments can be posted.

AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Tuesday December 29, 2015 @06:18PM (#51205103)

    AVG used to be good and then about 4 years ago it got a lot of bloat

    • by avandesande ( 143899 ) on Tuesday December 29, 2015 @06:30PM (#51205183) Journal
      I quit using it years ago, I found using Microsoft Security Essentials and running Malwarebytes once a month was satisfactory.
      • by wbr1 ( 2538558 ) on Tuesday December 29, 2015 @08:07PM (#51205727)
        MSSE was great, but the catch rate has really fallen off in the past 2 years. For a free AV bitdefender or avira are where it is at. Avira tends to be spammy, while bitdefender is quiet, so there in is my current top of the heap.
        Add in a free MalWareBytes scan every 2 weeks, a good adblocker, and non-ISP DNS and you can't get much better.
        If you think you are infected, MalwareBytes anti-root kit, hitman pro, and malwarebytes, and adwcleaner are a good combot to get most stuff out.
        Source, I manage a shop that does lots of residential repairs (ie 80% viruses).
        • by dwywit ( 1109409 )

          Haven't had much success with hitmanpro, but adwcleaner, JRT, and combofix work quite well, EXCEPT that combofix still hasn't been updated for Windows 8.1 or 10. I'm starting to get nervous as more Win 10 users call for help. Combofix is a really remarkable tool, but I hope it gets clearance for Win 10 soon.

          • by wbr1 ( 2538558 )
            I do not touch combofix anymore. It broke to many services even in win 7 machines for my comfort. JRT has been good, but you need to be aware it clears the event logs, and you cannot stop it, so of you want to parse old events, do it before a JRT run. I do not like it because the developer basically said, yah I delete logs, I won't say why and I won't stop. Makes me wonder what JRT is actually hiding.
            • by dwywit ( 1109409 )

              Wow - I've never had combofix break anything except the malware it's designed to remove. Occasionally it will fail to remove something.

              I usually go for ADWcleaner if it's just scammy "tune your PC" nonsense, but if it's "your PC is infected, call this number to fix it" I'll use combofix. I'll use JRT but only as a backup if I suspect the others haven't worked.

        • by AmiMoJo ( 196126 )

          MSSE is the only one I've found that doesn't cripple your system. My preferred set up is MSSE and some non-real-time scanners, plus making my download directory and browser cache no-execute. Oh, and the usual array of ad blockers and privacy enhancers.

          • by wbr1 ( 2538558 )
            Free Bitdefender is actually pretty light, even runs well on AMD A8s and such. We also use the enterprise BitDefender engine with active protection as part of our MSP service package and it can be very resource intensive.
            • by AmiMoJo ( 196126 )

              I prefer their rescue CD. Because it's Linux based it ignores NTFS permissions and can read every file regardless of protection status. It also avoids being hindered by most rootkits etc since it isn't running on the infected OS. And of course, since you don't install it the bloat is zero.

        • MSSE was great, but the catch rate has really fallen off in the past 2 years. For a free AV bitdefender or avira are where it is at. Avira tends to be spammy, while bitdefender is quiet, so there in is my current top of the heap. Add in a free MalWareBytes scan every 2 weeks, a good adblocker, and non-ISP DNS and you can't get much better. If you think you are infected, MalwareBytes anti-root kit, hitman pro, and malwarebytes, and adwcleaner are a good combot to get most stuff out. Source, I manage a shop that does lots of residential repairs (ie 80% viruses).

          Reading this, I had no idea how much I enjoy Ubuntu. Thank you for reminding me.

          I'm sure that this is how the Tesla owners feel when they hear about somebody replacing a water pump, or a leaky valve cover, or fouled plugs, or a muffler, or a fuel pump, or an ignition coil, or a cam bearing, or an O2 sensor, or a fuel injector, or even doing regular oil changes and yearly smog tests.

      • I do the same thing, but It's woefully inadequate. I don't know what will change, but something needs to.

        One wrong click and you're grabbing your digital ankles. It's gonna happen.

      • by antdude ( 79039 )

        I read MSE sucks too?

    • It's been a trend.

      Good software found, gets popular, goes horrendously to shit. Everywhere, even the open source world isn't free from this disease. It dates back to Winamp, even earlier.

      It's almost like the only software that's trustable any more is abandonware.

    • by LinuxIsGarbage ( 1658307 ) on Tuesday December 29, 2015 @07:32PM (#51205545)

      AVG and Avast have a combination of bloat, or nags that try to scare you into upgrading to a pay version. MSE, whether or not it's the top in the charts on detection, is a very good option for "set and forget" when dealing with distant relatives.

    • The bloat is why I switched my customers to Comodo IS and Avast, Avast for the "little old lady" types that need lots of hand holding and Comodo IS for those that are needing a little more heavy duty protection as by default it sandboxes the browser.

      What really sucks is the "TuneUp" its referring to I'm sure is the once great TuneUp Utilities [tune-up.com] which used to be my go to tool for keeping a home users system maintained, it was IMNSHO a spiritual successor to the DOS/Win9x era Norton Utilities, but AVG came alon

  • by Archangel Michael ( 180766 ) on Tuesday December 29, 2015 @06:19PM (#51205105) Journal

    My best security tip, don't run as Administrator. Run everything as a limited user, and only install software from ADMIN account. Add in Windows Defender / Security Essentials, add in a Adblock / UBlock type protection and back up your data occasionally (regularly) and you're fine. Worst case I've seen, cleared by deleting said user profile.

    The problem is, most people want to run everything as Admin because it is convenient.

    • by c4757p ( 4213341 )

      Overrated security tip. I mean - it's absolutely basic, nobody should be stupid enough to run as administrator - but it's also bare minimum. There are still absolute tons of vulnerabilities that have nothing to do with Admin.

      All of my data (documents, etc) is accessible to my standard user account, as it rather has to be, and malware could do me way more harm by fucking with that than it could do as root.

    • My best security tip, don't run as Administrator.

      Cool story, brah. How would that have any effect at all on the issue at hand?

      • It would. It would avoid running AVG invasionware masquerading as Virus Protection.

        • It would. It would avoid running AVG invasionware masquerading as Virus Protection.

          Except that the issue at hand has nothing to do with running anything as Administrator. It's about the AVG installer installing an insecure Chrome extension.

          • Which you won't have to do if you don't run as Admin and use Security Essentials / Windows Defender. As I said, the problem is that people think they need more than that, and they don't.

      • Real BOfH run as root, with no safety net. That way, when you screw up, you learn from it the first time, as well as being more thoughtful in the future. After all, there WILL be times you have no choice but to remote in as root and fix something PDQ with everyone leaning over your shoulder.
    • Well, ever since Vista even accounts in the administrators group don't have full admin access to the whole installation. I guess it would be advisable to leave UAC on. Most people turn it off because it's an annoyance, but it's the only thing remotely resembling security Windows has.
  • by Spy Handler ( 822350 ) on Tuesday December 29, 2015 @06:19PM (#51205111) Homepage Journal

    No idea if the Avast plugin is crappy or well-written or what, but it also tried to install itself on my Chrome and Firefox.

    Fortunately Firefox had the good sense to ask me,

    "An external program has tried to install something (lists the program). Do you really want to install this plugin?"

    I said No.

    Chrome didn't say anything, and I assume it was installed. Don't really care since I only use Chrome about once a month for sites that crap out in Firefox.

    • by p0p0 ( 1841106 )
      This pisses me off. Chrome made it more difficult for a user to install their own extensions, and any program can just add an extension whenever it feels like. I don't even think Avast lets you stop the install of the extension. So if you use Chrome you've got to sit back and let it happen, then manually remove the extension. It's moronic.
      • by zyzko ( 6739 )

        To be fair, from the summary: "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API."

        Sound like they specifically targeted Chrome to go around those checks, but either Firefox does a better job at stopping unauthorized installs or they did not bother to do the same with Firefox.

  • Dear Slashdot admins,

    Since subject of Chrome has come up, please beware that either Slashdot or Chrome change has broke ability to comment using this combination. Any attempt to submit the comment says that I couldn't prove I am human, while similar action on, say, Safari works perfectly.

    Happy holidays and please take a look at this at your earliest convenience. I am using current stable Chrome on MacOSX 10.11.2, and the browser works well on other sites.

  • ...then new owners decided they're in it for the money, not customer satisfaction and a reasonable profit. So, I didn't see this; I've already migrated all my clients to Webroot...cheaper, better, and without all the self-serving pop-up messages or uninvited "adds-on" to other products and the O.S.

    Webroot is a good product, albeit underdocumented (what is it with all these security companies who think their products don't need or shouldn't have Admin or User documentation???).

  • Don't use "Tune Up" type products.

    Most of the time they don't do JACK SHIT.

    And in the few instances where they might actually improve performance, they're likely compromising either system/application security/stability.

    Plus, they're installing this additional crapware and hijacking your browsers.

    FUCK.

    THAT.

    NOISE.

  • The only product WORSE than Norton.

"Open the pod bay doors, HAL." -- Dave Bowman, 2001

Working...