AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure

An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.

AVG used to be good and then about 4 years ago

[Joe_Dragon]

AVG used to be good and then about 4 years ago it got a lot of bloat

Re:AVG used to be good and then about 4 years ago

[avandesande]

I quit using it years ago, I found using Microsoft Security Essentials and running Malwarebytes once a month was satisfactory.

Re:AVG used to be good and then about 4 years ago

[LinuxIsGarbage]

AVG and Avast have a combination of bloat, or nags that try to scare you into upgrading to a pay version. MSE, whether or not it's the top in the charts on detection, is a very good option for "set and forget" when dealing with distant relatives.

Re:AVG used to be good and then about 4 years ago

[wbr1]

MSSE was great, but the catch rate has really fallen off in the past 2 years. For a free AV bitdefender or avira are where it is at. Avira tends to be spammy, while bitdefender is quiet, so there in is my current top of the heap.
Add in a free MalWareBytes scan every 2 weeks, a good adblocker, and non-ISP DNS and you can't get much better.
If you think you are infected, MalwareBytes anti-root kit, hitman pro, and malwarebytes, and adwcleaner are a good combot to get most stuff out.
Source, I manage a shop that does lots of residential repairs (ie 80% viruses).

Don't run as Administrator

[Archangel+Michael]

My best security tip, don't run as Administrator. Run everything as a limited user, and only install software from ADMIN account. Add in Windows Defender / Security Essentials, add in a Adblock / UBlock type protection and back up your data occasionally (regularly) and you're fine. Worst case I've seen, cleared by deleting said user profile.

The problem is, most people want to run everything as Admin because it is convenient.

Re:*slow clap*

[narcc]

Indeed. It's neat to see something surreptitiously installed on Chrome, which is often itself installed the same way.

Wait. Why are we talking about security issues with untrustworthy bundle-ware that replaces your default browser? It's it a given that it's both insecure and will spy on you?

Re:Security theater

[LVSlushdat]

The last company I worked for before retirement had several Linux workstations that I admin'ed. The word came down from on-high that, going forward, we would have to run the Linux version of McAfee AV, being that McAfee was the decreed AV for all of our Windows systems. Being that the Windows enterprise version of McAfee, at the time (2010-ish) was a steaming pile of cow manure, I'll give you three guesses what the Linux version was... Hard to believe ANYthing could be worse than the Windows version, but there it was... I certainly could understand having an AV on Windows, but complaints about...WHY THE $#%$% DO WE HAVE TO HAVE AN AV on Linux fell on deaf ears... But I'm retired now and my Linux systems have no such requirement...