This Antivirus Plugin Makes You LESS Secure
Billionaire Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.” He might have been talking to the folks at AVG Antivirus; if he was, they weren’t listening. Read on to learn how AVG might have made you LESS secure... |
AVG Breaks Google Chrome Security
Billionaire Warren Buffett said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.” He might have been talking to the folks at AVG Antivirus; if he was, they weren’t listening.
AVG has been a trusted name in anti-malware and online security software for decades; over 200 million people have installed the free AVG Antivirus software. But in the last weeks of 2015, it was revealed that one of AVG’s products (apparently deliberately) bypasses critical security components of the Google Chrome browser for no better reason than to promote AVG.
The product is a Chrome extension called “AVG Web Tuneup.” The name itself is misleading; the extension doesn’t “tune up” anything, it just checks URLs against a reputation database and blocks connections to known rogue sites. In any case, when AVG Antivirus is installed it urges the user to let it install Web Tuneup as well. About 9 million Chrome users have done so.
The problem is that AVG doesn’t follow the extension installation process dictated by Google’s developers policy. Google researcher Tavis Ormandy described what happens this way, in a message he posted to a Google security researchers forum.
"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."
Ormandy provided an example of code that could steal authentication cookies from AVG’s Web site, adding that the flawed Web Tuneup “also exposes browsing history and other personal data to the internet” and might very well allow an attacker to execute malware on a user’s machine.
How Does Tuneup Become Foulup?
Ormandy also sent an “angry email” directly to AVG, in which he chastised the company: "The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [Potentially unwanted Program]. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users (who have installed AVG Web Tuneup), apparently so that you can hijack search settings and the new tab page."
Very simplistically, installing AVG Web Tuneup breaks Chrome’s security in ways that allow bad guys to redirect a user to any Web site they wish, and effectively disables SSL secure connections to supposedly secure sites like Gmail, banks, Amazon, etc.
AVG submitted a “patched” update of the Web Tuneup extension on December 19. But Ormandy said it didn’t fix the original problems at all; in fact, it shows an alarming misunderstanding of how domain names and URLs work. Anyone who names his rogue Web server “www.avg.com.www.attacker.com” could still hijack a Web Tuneup Chrome user. Note that this hypothetical server is hosted on attacker.com, not avg.com.
A second patch issued a day later restricts Web Tuneup to two Web pages that actually are hosted on avg.com. Ormandy grudgingly says this will work, as long as those pages are well audited and maintained to keep exploitable code off of them.
The issue is considered “resolved” and AVG Web Tuneup is available in the Google Play store. But Google has disabled “inline installation,” a developer privilege that lets Chrome extensions be downloaded and installed from a Web site other than Google Play. In other words, AVG cannot offer any future updates of Web Tuneup except through the Google Play vetting process. This restriction will continue at least until Google determines if AVG violated developer policies.
Why Did AVG Do It?
It appears that AVG was trying to make its name more visible to users by resetting their homepages to an AVG Web Tuneup page, and filling newly opened tabs with another AVG page. These are marketing functions that have nothing to do with AVG’s core competencies. At best, it would have been "just" an annoyance and an inconvenience for Chrome users. Nobody wants their browser homepage hijacked. Nor do they want to see advertising pitches when opening a new tab. I can imagine some marketing person pitching this bright idea to security geeks:
MARKETING: “Hey, we can use this extendy-thing to get our name in front of customers!”
SECURITY: “We are fighting an ever-rising tide of cybercrime, we don’t have time to code marketing gimmicks.”
MARKETING: “Well, can I use an intern on it?”<
SECURITY: “Yeah, sure, whatever…”
And that’s how your whole company ends up looking like a pack of irresponsible, clueless kiddies on a Google security researchers forum. See Warren Buffett, above.
If you have AVG Web Tuneup installed, you may want to uninstall it. Click the three-bars icon in the upper-right corner of Chrome. Cursor down to “More tools” and select “Extensions” from the second drop-down menu. Find Web Tuneup among your extensions and toss it in the trash.
If you're disappointed with AVG and looking for a new antivirus program, see the sidebar above. Your thoughts on this topic are welcome. Post your comment or question below...
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 4 Jan 2016
For Fun: Buy Bob a Snickers. |
Prev Article: AskBob's Best of 2015 - Part Two |
The Top Twenty |
Next Article: How Secure Are Shopping Apps? |
There's more reader feedback... See all 35 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- This Antivirus Plugin Makes You LESS Secure (Posted: 4 Jan 2016)
Source: https://askbobrankin.com/this_antivirus_plugin_makes_you_less_secure.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "This Antivirus Plugin Makes You LESS Secure"
(See all 35 comments for this article.)Posted by:
pmwill
05 Jan 2016
Just wanted to say thanks, looking at using the best in the future. Love the blogs they really spell it out!
Posted by:
Eamonn
05 Jan 2016
I was a long time AVG free user but have recently switched to Avast for the following reasons.
1. I got fed up with AVG trying to foist unwanted add-ins on me.
2. I had several failed system backup attempts using Macrium Reflect (unable to read source disk error messages.) As a last ditch attempt, I uninstalled AVG and lo and behold...successful backup!
I installed Avast in its place. Your article makes me feel better about leaving AVG in the dust.
Posted by:
Jack
05 Jan 2016
I bounced around between several free antivirus programs for a long time, but finally settled on Norton 360 Premier. It has protected me very well for several years, at a cost of about $90 per year for multiple computers. Plus, it includes many other useful utilities. Money well spent. It does take a fair amount of resources, but with today's fast processors, it has a negligible impact on performance. Plus, no nag screens.
Posted by:
Jeff Lindsay
05 Jan 2016
AVG hijacked my browser--appeared to happen during the uninstall process. I was uninstalling because I was tired of their pop-ups and aggressive behavior. Bypassing security rules and leaving users vulnerable to a host of new attacks is terrible. I won't be back. But I wonder if there are remnants of their bad programming left in my system that I now need to uninstall manually? Would hate to leave AVG's vulnerabilities in my system even after uninstall.
Posted by:
John
05 Jan 2016
I had AVG change my search engine from google to Yahoo. Lots of trouble and I ended up re-installing windows to get rid of it.
I had a similar problem with Avast which blocked Internet Explorer. Good thing I mostly use Firefox but that anti-virus was a no go as well.
So far I haven't had any problems with Bitdefender with no unwanted PUPs. It just sits there and seems to do it's job.
Posted by:
john page
05 Jan 2016
I have used Microsoft anti virus products for many year nows both on windows 7 and 10 and have yet to have a virus on my computer. Am I just luckey or is defender better than we think it is.
Posted by:
Bob
15 Jan 2016
This is not a first for AVG. About a year ago they destroyed my IE browser by hijacking the home page and search engine. In an attempt to remove it, IE was damaged.
Posted by:
Bob
15 Jan 2016
AVG does not protect you from malware. AVG IS malware
Posted by:
Jim Christie
16 Jan 2016
Anything to make that last $ appears to be today's philosophy. AVG used to be good back in the year dot, but has deteriorated to the low end over the time. If they made decent programs this sort of thing would not need to be resorted to. Sell on merit.
Everyone should read lab test reports on security software. Top scorers are more than competitive on price, and are not known for sneaky tactics.
Posted by:
Clairvaux
16 Jan 2016
This, unfortunately, is a trend. From Microsoft using malware tactics to force the "gift" of Windows 10 on you, to Avast scaring you with misleading alerts about your PC needing to be "optimised" and "better protected", to most download sites being awash in PUPs, more and more, the software is the malware.
Posted by:
Ezra Shapiro
17 Jan 2016
As a computer technician I tried to get my clients the best security software. Everything I told my clients that I recommend removing AVG if I thought installed not just a tune up but the entire antivirus suite . I've noticed that it's not very effective, that is it is harsh on resources, and it has a tendency to completely slow down a person's computer or disable their Internet. Recently I've started installing panda free antivirus for my home clients and avast Free business antivirus for my business clients who don't need more features.
Posted by:
John Seitzler
17 Jan 2016
I agree with you totally. My one question is why is an ad for AVG download on this page? Seems a bit contradictory.
Posted by:
Bill Simms
17 Jan 2016
I used PC Pitstop Optimize 1.0 then 2.0 and was very happy with it. But, when I upgraded to Optimize 3.0 it would no longer work. The rep at PC Pitstop told me to upgrade to PC Matic. This would not work due to satellite internet’s ping time with Hughesnet being 700 to 900ms. For this reason I have to use AVG or another sub-standard program.
I wish PC Pitstop would allow a longer ping time on PC Matic! Then I would gladly use PC Matic made in the U.S.A.!
Posted by:
Glenn
17 Jan 2016
Removed it shortly after I installed their anti-virus product. I instantly saw what was happening and removed it in disgust. Greed, it's that simple.
Posted by:
Tev
18 Jan 2016
I bought an AVG antivirus program via Amazon, downloaded on my laptop. Couple of days later it was downgraded to Free Version. I talked to AVG's US sales people, they said there was a problem from windows 10 and asked for 119 Dollars to clean it up. I bught an ESET program and cleaned up my laptop from this AVG for good. No AVG anymore.
Posted by:
aussietaff
18 Jan 2016
AVG has always been the Hog of everything on the PC, and it is so hard to uninstall everything that it gives you. Have never liked it.
Posted by:
Jerry
18 Jan 2016
It's always about the cash. My son had AVG on his pc, nothing but trouble. It would find things that weren't malware and miss things that were. I uninstalled it and replaced it with a different antivirus.Used several malware and PUP removers to get rid of any traces of AVG and all the other malware that it had missed.
Posted by:
patcsn
19 Jan 2016
Used AVG - initially the free version then the purchased version - for a number of years until an update would not install and both my computers were left without any protection. AVG support were unable to help so I switched to Norton 360 which works well and has superb support when needed.
Posted by:
Cousinpeteb
19 Jan 2016
Thanks for the update, Bob! Once again, your newsletter has proven more valuable than gold. I have used AVG free off and on and recommended it to clients that did not have ample funds for Anti-virus protection. When it was time for a new security suite, I purchased AVG, on sale at Micro Center. I noticed the hijacking right away, but had no idea it was part of a nefarious plot by AVG. I disabled web tuneup because I found the high jacking troublesome, but had no idea it was intentional. Thanks again for filling in the blanks.
Posted by:
Mel
19 Jan 2016
AVG... CNET... CISCO/JAVA,
I'm weary of good guys becoming bad guys. The internet age seems like its devolving into the extreme Caveat Emptor days of yore. And we wonder why our parents/grandparents want nothing to do with it?