Slashdot Mirror
AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure (google.com)
An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.
AVG used to be good and then about 4 years ago it got a lot of bloat
My best security tip, don't run as Administrator. Run everything as a limited user, and only install software from ADMIN account. Add in Windows Defender / Security Essentials, add in a Adblock / UBlock type protection and back up your data occasionally (regularly) and you're fine. Worst case I've seen, cleared by deleting said user profile.
The problem is, most people want to run everything as Admin because it is convenient.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
No idea if the Avast plugin is crappy or well-written or what, but it also tried to install itself on my Chrome and Firefox.
Fortunately Firefox had the good sense to ask me,
"An external program has tried to install something (lists the program). Do you really want to install this plugin?"
I said No.
Chrome didn't say anything, and I assume it was installed. Don't really care since I only use Chrome about once a month for sites that crap out in Firefox.
" in fact you can't even buy one for linux"
That's completely BS, but you're right about one thing... "install ... whatever OS you want", even Windows and OS X.
Pretty much the rest of your post is wrong too.
I'm sure the ClamAV guys will sell it to you if you want to pay.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Indeed. It's neat to see something surreptitiously installed on Chrome, which is often itself installed the same way.
Wait. Why are we talking about security issues with untrustworthy bundle-ware that replaces your default browser? It's it a given that it's both insecure and will spy on you?
Required reading for internet skeptics
The last company I worked for before retirement had several Linux workstations that I admin'ed. The word came down from on-high that, going forward, we would have to run the Linux version of McAfee AV, being that McAfee was the decreed AV for all of our Windows systems. Being that the Windows enterprise version of McAfee, at the time (2010-ish) was a steaming pile of cow manure, I'll give you three guesses what the Linux version was... Hard to believe ANYthing could be worse than the Windows version, but there it was... I certainly could understand having an AV on Windows, but complaints about...WHY THE $#%$% DO WE HAVE TO HAVE AN AV on Linux fell on deaf ears... But I'm retired now and my Linux systems have no such requirement...
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
Mostly to prove it can be done, I used Windows for years without any live running AV application. I even did it without a third party software firewall and used only NAT connectivity with the router handling DHCP. I would scan, once in a while, with MBAM or similar. I would check Wireshark once in a while and look for activity that I did not recognize in the logs.
It's possible. It's not even all that difficult, just don't be stupid. This was not, of course, Windows 10. I blocked scripts and whitelisted them as needed. I used ad protection extensions. I didn't download or execute unknown applications. I used a third party browser. I kept my computer up-to-date.
No, I'd not recommend that most people go that route nor am I saying everyone can. Nothing on my network exhibited any signs of malware or an intrusion. I guess the point is, you can use Windows safely without all the cruft - but you have to practice safe hex. Don't let stuff run without expressly granting it permission and knowing what it is (within reason) before allowing it to run. Use least permissions, Windows has permissions - use them. I did not use Microsoft's free AV - I did use the included Windows Firewall. I also used Acronis True Image but never, to the best of my knowledge, had to use it because of a malware infection.
It's not terribly difficult if you're willing to learn and be patient. I use Linux, exclusively even, today and am happier here than I was there. I'd always kept Linux installed on one partition or another but didn't use it nearly enough - I stopped poking in the early/mid 2000s but kept it installed and kept it up to date. I was already familiar with AIX and Solaris.
I found that I wasn't learning anything new. I'd become mentally fat and a mere consumer. So, I switched to Linux exclusively. I may go to GhostBSD next. It could be a while, I'm not yet feeling like I'm stagnating. However, I digress.
If you want to work at it and remain vigilant then you can use Windows without even an AV running constantly. If you a reasonably alert and attentive then you can do it just fine with an AV running live. Gone are the days of just being able to toss a box up on the 'net and expect it to be hacked in mere seconds or minutes.
"So long and thanks for all the fish."
Good man. You know why. Not many of us are comfortable admitting our mistakes and learning from them. It's something I pride myself on and post lots of things hoping that people will make me find my own logical inconsistencies or to otherwise learn from them.
That said, yeah, you can buy AV for Linux. I'm not actually sure why you'd want to (unless you're worried about something in WINE getting infected or might be responsible for handing files off to others who might be infected. If I could pick one application that I'd like to see ported to Linux it would be Agnitum's Personal Firewall. Yes, you can do everything that it does with some combinations of CLI and GUI. Well, probably all in CLI if you wanted. However, their firewall is slick, highly configurable, and really damned secure (depending on who is in the chair at the desk).
Anyhow, kudos. There are many who could stand to learn from your behavior. It's good to admit your'e mistaken - it means you're learning something and willing to accept new information and change your opinion. If your reasoning isn't challenged and you're not open to doing so with as little bias as possible, then how do you know that they're logistically consistent? The easiest person for us to fool is ourselves.
"So long and thanks for all the fish."
He should find someone else to do his tech support.