Slashdot Mirror
AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure (google.com)
An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.
AVG used to be good and then about 4 years ago it got a lot of bloat
My best security tip, don't run as Administrator. Run everything as a limited user, and only install software from ADMIN account. Add in Windows Defender / Security Essentials, add in a Adblock / UBlock type protection and back up your data occasionally (regularly) and you're fine. Worst case I've seen, cleared by deleting said user profile.
The problem is, most people want to run everything as Admin because it is convenient.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
No idea if the Avast plugin is crappy or well-written or what, but it also tried to install itself on my Chrome and Firefox.
Fortunately Firefox had the good sense to ask me,
"An external program has tried to install something (lists the program). Do you really want to install this plugin?"
I said No.
Chrome didn't say anything, and I assume it was installed. Don't really care since I only use Chrome about once a month for sites that crap out in Firefox.
" in fact you can't even buy one for linux"
That's completely BS, but you're right about one thing... "install ... whatever OS you want", even Windows and OS X.
Pretty much the rest of your post is wrong too.
Yes, in fact you can't even buy one for linux.
Avast Anti-Virus for Linux. Purchasable for $199 per server per server.
I'm sure the ClamAV guys will sell it to you if you want to pay.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Dear Slashdot admins,
Since subject of Chrome has come up, please beware that either Slashdot or Chrome change has broke ability to comment using this combination. Any attempt to submit the comment says that I couldn't prove I am human, while similar action on, say, Safari works perfectly.
Happy holidays and please take a look at this at your earliest convenience. I am using current stable Chrome on MacOSX 10.11.2, and the browser works well on other sites.
There are several Linux AV available. For instance: https://www.eset.com/us/produc...
Any anti-virus for linux you can buy just checks files or emails for malicious content. Its not really comparable to the type of anti-virus offered for windows.
If I ran around installing Linux or FreeBSD on everyone's computer and then instructed them to start a VM for Windows programs my phone would be ringing ten times as much as it does already for free support requests. To be fair, I do recommend Linux for a lot of people, and even take the time to sit down with them for a few hours to get them acquainted while putting plenty of basic documentation in their documents folder, but I tell the vast majority of people to stick with Windows or get a Mac. Never forget how advanced you are, I know very well it is easy to take for granted as I sometimes do so myself. Fact of the matter is, Linux is not for a whole lot of people. And FreeBSD? For a regular person? As a desktop OS? Huh? I love FreeBSD, it is my go to server OS. But even I have never bothered installing a GUI on it and using it as a day to day desktop driver. Anti-virus software is a complex subject, but I will sooner explain the whole messy situation and advise on best practices and what software is best rather than just nuke their hard drive and replace the OS. That is almost always overkill. Oh, and there is such a thing as anti-virus software for Linux. Comodo for one. Although I have no idea what it does or why anyone would need it. If someone could shed light on that it would be cool.
Brought to you by Carl's Junior.
Its a virus scanner, and follows the unix philosophy. Its not a rootkit like monolith that does some opaque processing in the background, installs plugins for every browser showing right to each link whether its safe (why can't it just simply warn if you try to click such a link?!), nor does it annoy you with update popups, or even block non-malicious software (yes, people I know quite a few false positives, and its just impossible to add exceptions for those programs). It really can't be called anti-virus.
Wrong. Wanna try again?
Why? Why do people believe that if they install a different OS then they will be magically protected from all the malware on the net? This is like people saying how buying a mac will make them free of any malware forever, which has been proven wrong multiple times. I have even read articles about Linux seeing an increase of malware.
This is a browser extension vulnerability, not an OS vulnerability, two different things. On top of that, you're telling people to install a completely new OS which they would have to learn and then find alternative to their software they use, which in a lot of cases can't perform the way they want versus their windows/OSX counterpart. Plus you push a novice into a different OS, they have a high chance of installing a rogue application because they don't know any different.
Telling someone to just install a different OS so they won't get malware is like telling someone to just never connect to the internet. It's possible, people can do it, but chances of it working out fluidly and with no issues is very unlikely (especially for a common user) and it doesn't really protect them from getting infected or hacked.
Yes, I admit, my solution is violating kant's categoric imperative (only do stuff that can be basis for an universal law).
In fact, some aspects of linux are worse security wise than on windows. But as linux operating systems are open source, security researchers can freely improve the security of the system: you don't have to eat one entities dog food. Just look at wayland and the xdg-app idea for improvement in these areas.
Anti-virus software for linux is just used on mail or file servers, to check the content they handle. It does not check the health of the host system.
Trollololol.
Windows encourages the behaviour of downloading stuff from the net and, executing the msi or exe installer, then giving it admin access.
Linux has specific package managers for this, with software for almost all things you need. I have only very few stuff on my box that doesn't come from my ubuntu package manager.
Yes, linux isn't the solution for everything, but the fact that if every uses linux then linux is targeted by attackers and the situation is as bad or worse on linux doesn't make the other fact wrong, that there is much fewer risk currently to get infected with linux malware when running it as desktop os, and not doing stupid things (like living on a publicly reachable ip, having ssh activated and the root password "root").
Also, linux stands for another approach in improving security of the operating system. Instead of installing some huge monolithic anti-virus, the research can more focus at how to make the infrastructure as hard to abuse as possible. On windows this isn't possible, at least not if you aren't employed by microsoft, and even within microsoft only very few are heard I presume.
Seems you won, they mentioned the term "developer workstation".
Yes, in fact you can. AV corporations know that in spite of the lack of threats, AV protection is still a checklist item for any piece of IT gear going into some organizations. That's why not only can you buy it, but it's usually a pricey package with "Enterprise" in the name.
Log in or piss off.
Indeed. It's neat to see something surreptitiously installed on Chrome, which is often itself installed the same way.
Wait. Why are we talking about security issues with untrustworthy bundle-ware that replaces your default browser? It's it a given that it's both insecure and will spy on you?
Required reading for internet skeptics
You can get symantec also and it's needed because there are virus written for linux. Granted many of them are intended to infect ftp, web, and mail services which you probably aren't running on a workstation, although if the steam machine really takes off that may change and we may start seeing more.
...then new owners decided they're in it for the money, not customer satisfaction and a reasonable profit. So, I didn't see this; I've already migrated all my clients to Webroot...cheaper, better, and without all the self-serving pop-up messages or uninvited "adds-on" to other products and the O.S.
Webroot is a good product, albeit underdocumented (what is it with all these security companies who think their products don't need or shouldn't have Admin or User documentation???).
Try and block Akamai with your hosts files fool. Let me know how well that Windows system updates. Don't need to block Akamai? Remember the security updates and security compromises are hosted on the same servers now.
Which is what makes it a lot more dangerous. I'll just leave these here for your perusal. Oh and be sure to respond with a typical fanboy "but but but those don't count!" just like the Apple iHeads did when MacDefender came out and they went from "Apple doesn't get viruses" to "that doesn't count because its technically not a virus, its a trojan!" LOL.
ACs don't waste your time replying, your posts are never seen by me.
" And if you really need windows for some program or so, start it in a VM, not connected to the internet. Problem solved."
Yes. That works really well for A-list games. Oh wait. It doesn't work at all.
Try a solution that Richard Stallman wouldn't suggest. Hmm?
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
IBM doesn't even make i86/ia64/etc compatible computers anymore. They sold that off to the Chinese company that bought Lenovo YEARS ago. IBM used to love OS/2, aka CONCENTRATED EVIL. I think I'll forgo IBM's opinion on the matter.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
The last company I worked for before retirement had several Linux workstations that I admin'ed. The word came down from on-high that, going forward, we would have to run the Linux version of McAfee AV, being that McAfee was the decreed AV for all of our Windows systems. Being that the Windows enterprise version of McAfee, at the time (2010-ish) was a steaming pile of cow manure, I'll give you three guesses what the Linux version was... Hard to believe ANYthing could be worse than the Windows version, but there it was... I certainly could understand having an AV on Windows, but complaints about...WHY THE $#%$% DO WE HAVE TO HAVE AN AV on Linux fell on deaf ears... But I'm retired now and my Linux systems have no such requirement...
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
I agree with you. Terribly bloated these days. I had all my clients using AVG for Business for 10 years. Finally switched them all to another product this year. AVG's support is a joke too. I used to recommend them to everyone. Now I recommend everyone find something else.
Except the fact is that trojans aren't viruses. "antivirus" products should preferably be called malware scanners, not virus scanners.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Mostly to prove it can be done, I used Windows for years without any live running AV application. I even did it without a third party software firewall and used only NAT connectivity with the router handling DHCP. I would scan, once in a while, with MBAM or similar. I would check Wireshark once in a while and look for activity that I did not recognize in the logs.
It's possible. It's not even all that difficult, just don't be stupid. This was not, of course, Windows 10. I blocked scripts and whitelisted them as needed. I used ad protection extensions. I didn't download or execute unknown applications. I used a third party browser. I kept my computer up-to-date.
No, I'd not recommend that most people go that route nor am I saying everyone can. Nothing on my network exhibited any signs of malware or an intrusion. I guess the point is, you can use Windows safely without all the cruft - but you have to practice safe hex. Don't let stuff run without expressly granting it permission and knowing what it is (within reason) before allowing it to run. Use least permissions, Windows has permissions - use them. I did not use Microsoft's free AV - I did use the included Windows Firewall. I also used Acronis True Image but never, to the best of my knowledge, had to use it because of a malware infection.
It's not terribly difficult if you're willing to learn and be patient. I use Linux, exclusively even, today and am happier here than I was there. I'd always kept Linux installed on one partition or another but didn't use it nearly enough - I stopped poking in the early/mid 2000s but kept it installed and kept it up to date. I was already familiar with AIX and Solaris.
I found that I wasn't learning anything new. I'd become mentally fat and a mere consumer. So, I switched to Linux exclusively. I may go to GhostBSD next. It could be a while, I'm not yet feeling like I'm stagnating. However, I digress.
If you want to work at it and remain vigilant then you can use Windows without even an AV running constantly. If you a reasonably alert and attentive then you can do it just fine with an AV running live. Gone are the days of just being able to toss a box up on the 'net and expect it to be hacked in mere seconds or minutes.
"So long and thanks for all the fish."
" And if you really need windows for some program or so, start it in a VM, not connected to the internet. Problem solved."
Yes. That works really well for A-list games. Oh wait. It doesn't work at all.
Try a solution that Richard Stallman wouldn't suggest. Hmm?
Do you really believe Stallman would suggest this? Hahahahahahahahaha.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Good man. You know why. Not many of us are comfortable admitting our mistakes and learning from them. It's something I pride myself on and post lots of things hoping that people will make me find my own logical inconsistencies or to otherwise learn from them.
That said, yeah, you can buy AV for Linux. I'm not actually sure why you'd want to (unless you're worried about something in WINE getting infected or might be responsible for handing files off to others who might be infected. If I could pick one application that I'd like to see ported to Linux it would be Agnitum's Personal Firewall. Yes, you can do everything that it does with some combinations of CLI and GUI. Well, probably all in CLI if you wanted. However, their firewall is slick, highly configurable, and really damned secure (depending on who is in the chair at the desk).
Anyhow, kudos. There are many who could stand to learn from your behavior. It's good to admit your'e mistaken - it means you're learning something and willing to accept new information and change your opinion. If your reasoning isn't challenged and you're not open to doing so with as little bias as possible, then how do you know that they're logistically consistent? The easiest person for us to fool is ourselves.
"So long and thanks for all the fish."
Don't use "Tune Up" type products.
Most of the time they don't do JACK SHIT.
And in the few instances where they might actually improve performance, they're likely compromising either system/application security/stability.
Plus, they're installing this additional crapware and hijacking your browsers.
FUCK.
THAT.
NOISE.
Chas - The one, the only.
THANK GOD!!!
Sadly we do not get to decide language, the general public does, and malware is a word used by tech but to the rest of the world? Its a virus no matter what form it takes. I wish it weren't so but we lost that fight, along with everyone from script kiddies to government cyberspies being called "hackers" a loooong time ago.
ACs don't waste your time replying, your posts are never seen by me.
"I used Windows for years without any live running AV application" Yeah, that's called using your common sense, which, ironically, it's pretty uncommon.
Oblivion Awaits
i recently installed free avg antivirus on my (70 year old) neighbor's laptop. it installed a firefox extension which, if disabled or uninstalled, makes the main avg program complain without end. it did give me a choice to not install the extension during software install but i thought i'd try it and disable/uninstall it if i didn't like it. tough titties! the neighbor is now stuck with a stupid 'avg search' homepage until i find time to visit and reinstall it.
Mostly to prove it can be done, I used Windows for years without any live running AV application.
I've done the same, except I used an extremely pared down version, with almost no services running. IIRC, I was down to about 13 running processes at startup. System worked fine, only running 3rd party software. I ran no MS software on it at all. Most of all - no Windows Update. That virus downloads all kinds of crap I didn't need or want. With this setup, you don't even need a firewall, as no ports are open. After 3 years and an offline virus scan, no viruses or malware found. It should also be mentioned that it ran relatively quickly without all that cruft, with a boot time less than half of a standard windows install, meaning it was actually usable. By contrast, I have seen a Win7 Pro work laptop that takes upwards of 2 minutes to boot today, thanks to something like 67 processes getting loaded on startup. My Win7 VM starts up in less than half that time, but it's a bare installation.
I went with Fedora, Ubuntu and Mint after that which were all fine at the time, but various continuing challenges finally put me on a mac. I now run other OSes in VMs, simplifying my life significantly.
The cesspool just got a check and balance.
IBM doesn't even make i86/ia64/etc compatible computers anymore. They sold that off to the Chinese company that bought Lenovo YEARS ago. IBM used to love OS/2, aka CONCENTRATED EVIL. I think I'll forgo IBM's opinion on the matter.
OS/2 was a pretty decent system, better than Windows at the time IMNSHO, and possibly even today. But when IBM wholesale changes their employees systems away from Windows, you have to ask yourself exactly why, especially when Macs are reportedly so darn expensive (that's a hopefully dead meme by now, while you can buy a cheaper windows machine with much lower specs, equivalent machines are more than competitive) You should also ask yourself why IBM would do so just when the next greatest OS release from MS was about to drop, complete with its "live update" process that you can't opt out of. <-- yes, that's rhetorical
The cesspool just got a check and balance.
He should find someone else to do his tech support.
There is no virus other then proof of concept for Linux.
Of course there is.
The only product WORSE than Norton.
You should also ask yourself why IBM would do so just when the next greatest OS release from MS was about to drop, complete with its "live update" process that you can't opt out of.
Are you saying IBM's IT department was too stupid to use WSUS or even to set delayed updates through GPO and use another solution?
Yes, updates are forced on Windows 10 Home users, as it has been proven time and again that they are incapable of managing updates. Don't like the automatic updates, spring for the Pro edition or setup a domain.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Remember when AVG was an actually good product?
No, I remember when it took over the MBR back in Windows 98-2000, which could result in an impossible to remove installation. It has always been an officious piece of shit.
I was thinking you would link to a Bash script that just does an obfuscated "rm -r /" or "dd -i /dev/random -o /dev/sda1"
(I think I have that dd correct, not really a big user of dd, and don't feel like looking it up)
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
LOL, she is less of a psycho stalker than you apparently, as you chose to interject on a totally unrelated thread about her.
Also, APK, you are the AC stalker extraordinaire, who are you to try and claim that she was AC stalking you?
There is good reason for people to post AC in response to you. You take every and all criticism personally, and won't admit when you are wrong. You also spam flood any dissenting opinions, even when every one of your points has been refuted. You are the ultimate in psychopathic stalkers, and you are complaining that Barbara suggested that people post AC in response to you?
You gonna start up on me again? I LOVE the attention.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Than get Trend Micro Server protect. Trend Micro's virus scanner on Windows installs plugins into browsers as well, but it works as you describe. I doubt their Linux virus scanner does the same thing, as Linux is thought of as a server OS only by them.
http://www.trendmicro.com/us/e...
It doesn't matter what Linux compatible virus scan you choose, it is your choice.
https://www.linux.com/news/sof...
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Yeah, that's a very valid addition. If you're not using services then turn them off. Err... It's been a while but I think you loaded that with just services.msc from the prompt. If you don't know what the service is, use a search engine. You can use manual and, well sometimes, it will start the service when you do something that invokes the service or you can disable it.
As for Linux... Well, I think I tried *all* of them. Not quite but every single one in the top 20 at DistroWatch. Plus a bunch more. VM on VM on VM and just so many. I don't really have a favorite except I'm kind of partial to LXDE and the Ubuntu ecosystem so I use Lubuntu and Mint Cinnamon as Cinnamon isn't bad either. Sometimes, I don't even install the OS but just run it from a Live USB. It's not like I don't have enough RAM. With enough RAM and being patient to let it load, it actually gets pretty speedy in a Live USB environment - for what I'm often doing (which is absolutely as little as possible 'cause I'm old like that).
That and manually updating instead of automatic updating windows helped. I manually kept up on the updates for Windows and for the various apps. I'd update as needed. I'd scan, usually once a week but I didn't always remember, and check. I didn't do anything like banking on the computer - I never do. I never will. Even with the best security practices that I can manage, there's no incentive for me to bank online. Errr... To credit union online perhaps? Well, I do have a few bank accounts but i digress.
It takes some work, at first, to really figure out how you'll attack the problem. I think we've pretty much covered the ideas if not the individual things. Since switching to using Linux exclusively, I no longer feel as if my brain is turning to mush. I feel a day without learning is a day without growth and if I'm not growing them I'm not improving. I like to improve. I like to learn. I like to grow. 'Tis one of the reasons that being wrong doesn't bug me much. So long as I'm still wrong, I've got room to improve.
"So long and thanks for all the fish."
Same thing with "hackers". Pity.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
You should also ask yourself why IBM would do so just when the next greatest OS release from MS was about to drop, complete with its "live update" process that you can't opt out of.
Are you saying IBM's IT department was too stupid to use WSUS or even to set delayed updates through GPO and use another solution?
Yes, updates are forced on Windows 10 Home users, as it has been proven time and again that they are incapable of managing updates. Don't like the automatic updates, spring for the Pro edition or setup a domain.
I guess you didn't read the policy pieces where MS said yes, you can delay updates, but only for 3 months, max? That has since been extended to a max of 12 months due to massive backlash, but you will update, whether you want to or not if you're running Win10. You no longer own your own installation, MS does. You only get to manage the delays for updates within a 12 month window. That would be concerning to any business, IMNSHO.
The cesspool just got a check and balance.
Wow, just wow. As I pointed out, I ONLY mentioned our previous arguments as counter-proof to another poster who claimed that slashdot engages in the practice of deleting posts. You chose to take that as an attack when in the given context it clearly wasn't. You have to admit that if slashdot had a policy of deleting comments, many of yours would be at the top of most users' lists. Okay, I get it, you mistook what I wrote as singling you out and decided to throw rocks again, and I'm sorry for the misunderstanding. But everything you've posted today goes under the label "no harm, no foul." It not only doesn't bother me, but also gives me a chance to try to remove some of the stigma people associate with others who are different, so I consider that a good thing.
Plenty of people have defended me in the past - why is that so hard to believe? The majority of people accept transsexuals and don't think we're an "it." A sex change does not remove the fact that someone is a human being, not an "it".
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
He... doesn't seem too crushed to me.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
The trade shows were comdex and supercom, way back in 1995. The company went through a re-org, than a renaming, then belly up after I left because I saw they didn't have the hardware expertise to bring the product to market, and it was just one excuse after another for delays that ultimately stretched into the new century. Do you really think I'm going to keep floppy disks from 1995?
And pretty much everything else is covered by NDA, as per industry practice. THOSE businesses haven't gone bankrupt, so you can be darned sure I'm keeping my mouth shut.
Also, you know very well I was off slashdot for an extended period of time because I could no longer read (you made a big enough point of my being a "one-eyed cyclops", even though doctors have over they ensuing years managed to restore most of my sight to one eye, and a lot of it to the other). So how would I accumulate these mythical mod points without posting? Oh, right - magic transsexual powers. I;m not buying it, and neither is anyone else.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
so i keep telling him. an elderly gentleman who guilts me into occasional tech support. and like all 70 year olds, he's as stubborn as a mule. i tell him to buy good used laptop A, he lets his grandson pick shitty but pretty laptop B. i install and teach him a simplified ubuntu 8.04 (years ago), he lets his grandson restore vista instead. it's a multi-level clusterf*ck.
oh that ever-present feeling of knowing everything. i miss being 16.
For fuck's sake, just die already. Go join ISIS or something more in tune with your fanaticism.
Such a fake name, eh? Go to the Cleveland city records office and ask for my birth certificate. Shouldn't be hard to find my name in order to do that. then come find me in Hercules, CA and see how fake I am. As for my accomplishments in computing, many have been for private ventures and none have been on the backs of others nearly to the degree that your one accomplishment has. Keep talking, though.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.