This Antivirus Plugin Makes You LESS Secure
Billionaire Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.” He might have been talking to the folks at AVG Antivirus; if he was, they weren’t listening. Read on to learn how AVG might have made you LESS secure...
AVG Breaks Google Chrome Security
Billionaire Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.” He might have been talking to the folks at AVG Antivirus; if he was, they weren’t listening.
AVG has been a trusted name in anti-malware and online security software for decades; over 200 million people have installed the free AVG Antivirus software. But in the last weeks of 2015, it was revealed that one of AVG’s products (apparently deliberately) bypasses critical security components of the Google Chrome browser for no better reason than to promote AVG.
The product is a Chrome extension called “AVG Web Tuneup.” The name itself is misleading; the extension doesn’t “tune up” anything, it just checks URLs against a reputation database and blocks connections to known rogue sites. In any case, when AVG Antivirus is installed it urges the user to let it install Web Tuneup as well. About 9 million Chrome users have done so.
The problem is that AVG doesn’t follow the extension installation process dictated by Google’s developers policy. Google researcher Tavis Ormandy described what happens this way, in a message he posted to a Google security researchers forum.
Ormandy provided an example of code that could steal authentication cookies from AVG’s Web site, adding that the flawed Web Tuneup “also exposes browsing history and other personal data to the internet” and might very well allow an attacker to execute malware on a user’s machine.
How Does Tuneup Become Foulup?
Ormandy also sent an “angry email” directly to AVG, in which he chastised the company: "The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [Potentially unwanted Program]. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users (who have installed AVG Web Tuneup), apparently so that you can hijack search settings and the new tab page."
Very simplistically, installing AVG Web Tuneup breaks Chrome’s security in ways that allow bad guys to redirect a user to any Web site they wish, and effectively disables SSL secure connections to supposedly secure sites like Gmail, banks, Amazon, etc.
AVG submitted a “patched” update of the Web Tuneup extension on December 19. But Ormandy said it didn’t fix the original problems at all; in fact, it shows an alarming misunderstanding of how domain names and URLs work. Anyone who names his rogue Web server “www.avg.com.www.attacker.com” could still hijack a Web Tuneup Chrome user. Note that this hypothetical server is hosted on attacker.com, not avg.com.
A second patch issued a day later restricts Web Tuneup to two Web pages that actually are hosted on avg.com. Ormandy grudgingly says this will work, as long as those pages are well audited and maintained to keep exploitable code off of them.
The issue is considered “resolved” and AVG Web Tuneup is available in the Google Play store. But Google has disabled “inline installation,” a developer privilege that lets Chrome extensions be downloaded and installed from a Web site other than Google Play. In other words, AVG cannot offer any future updates of Web Tuneup except through the Google Play vetting process. This restriction will continue at least until Google determines if AVG violated developer policies.
Why Did AVG Do It?
It appears that AVG was trying to make its name more visible to users by resetting their homepages to an AVG Web Tuneup page, and filling newly opened tabs with another AVG page. These are marketing functions that have nothing to do with AVG’s core competencies. At best, it would have been "just" an annoyance and an inconvenience for Chrome users. Nobody wants their browser homepage hijacked. Nor do they want to see advertising pitches when opening a new tab. I can imagine some marketing person pitching this bright idea to security geeks:
MARKETING: “Hey, we can use this extendy-thing to get our name in front of customers!”
SECURITY: “We are fighting an ever-rising tide of cybercrime, we don’t have time to code marketing gimmicks.”
MARKETING: “Well, can I use an intern on it?”<
SECURITY: “Yeah, sure, whatever…”
And that’s how your whole company ends up looking like a pack of irresponsible, clueless kiddies on a Google security researchers forum. See Warren Buffett, above.
If you have AVG Web Tuneup installed, you may want to uninstall it. Click the three-bars icon in the upper-right corner of Chrome. Cursor down to “More tools” and select “Extensions” from the second drop-down menu. Find Web Tuneup among your extensions and toss it in the trash.
If you're disappointed with AVG and looking for a new antivirus program, see the sidebar above. Your thoughts on this topic are welcome. Post your comment or question below...
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 4 Jan 2016
|For Fun: Buy Bob a Snickers.
AskBob's Best of 2015 - Part Two
The Top Twenty
How Secure Are Shopping Apps?
There's more reader feedback... See all 35 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- This Antivirus Plugin Makes You LESS Secure (Posted: 4 Jan 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved