AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure

An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.

Don't run as Administrator

[Archangel+Michael]

My best security tip, don't run as Administrator. Run everything as a limited user, and only install software from ADMIN account. Add in Windows Defender / Security Essentials, add in a Adblock / UBlock type protection and back up your data occasionally (regularly) and you're fine. Worst case I've seen, cleared by deleting said user profile.

The problem is, most people want to run everything as Admin because it is convenient.

Re:Security theater

[NotInHere]

Windows encourages the behaviour of downloading stuff from the net and, executing the msi or exe installer, then giving it admin access.

Linux has specific package managers for this, with software for almost all things you need. I have only very few stuff on my box that doesn't come from my ubuntu package manager.

Yes, linux isn't the solution for everything, but the fact that if every uses linux then linux is targeted by attackers and the situation is as bad or worse on linux doesn't make the other fact wrong, that there is much fewer risk currently to get infected with linux malware when running it as desktop os, and not doing stupid things (like living on a publicly reachable ip, having ssh activated and the root password "root").

Also, linux stands for another approach in improving security of the operating system. Instead of installing some huge monolithic anti-virus, the research can more focus at how to make the infrastructure as hard to abuse as possible. On windows this isn't possible, at least not if you aren't employed by microsoft, and even within microsoft only very few are heard I presume.

Re:*slow clap*

[narcc]

Indeed. It's neat to see something surreptitiously installed on Chrome, which is often itself installed the same way.

Wait. Why are we talking about security issues with untrustworthy bundle-ware that replaces your default browser? It's it a given that it's both insecure and will spy on you?