AVG's 'Secure Search' Toolbar May Create Security Risk
Security problems don't look good on any company's record, but they're particularly unflattering for companies that specialize in digital security. Amsterdam-based antivirus-software maker AVG Technologies suffered a blow yesterday (July 7) when the U.S. Department of Homeland Security warned of serious flaws in AVG's Secure Search browser toolbar that affect Microsoft Internet Explorer.
The AVG Secure Search toolbar is meant to protect users from malicious websites and sites that collect their browsing information. However, the U.S. Computer Emergency Response Team (US-CERT), a joint project of DHS and Carnegie Mellon University in Pittsburgh, found that attackers could remotely seize control of a computer using the Internet Explorer version of the toolbar.
AVG has already released an update to the Secure Search toolbar, which can be found on the company's website. If you'd rather remove AVG Secure Search from Internet Explorer entirely, here's how to reset your Internet Explorer settings.
The AVG Secure Search flaw exists in the way the toolbar interacts with Microsoft's ActiveX software framework, heavily used in Internet Explorer. AVG Secure Search contains an ActiveX control called ScriptHelperApi that websites shouldn't be able to access.
Websites can in fact invoke ScriptHelperApi, according to US-CERT, resulting in a remote-code-execution flaw that could let an attacker install and run malware, or gather personal data, on an affected computer. There's no evidence this flaw was exploited in the wild, but attackers could have created a specially crafted malicious Web page, tricked AVG Secure Search users into visiting it and then taken over their computers.
If you use any AVG products, you probably have the AVG Secure Search toolbar installed. It comes bundled with most AVG software, such as the company's free PC antivirus product (our review of which can be found here), as well as other free software downloads such as media players.
The toolbar is not always clearly marked during installation, nor is it easy to remove, leading some people to dub AVG Secure Search "foistware," unwanted software foisted upon users of a separate product, or a "potentially unwanted program" (PUP).
Aside from being annoying and cluttering, such undesired software creates yet another entry point that attackers could use to gain access to your computer. Each piece of software is a possible avenue for attackers, which is why you want to install only the most trustworthy programs.
Most people don't know they're downloading AVG Secure Search to begin with, much less that it contained such a serious flaw. AVG has now patched this flaw, as US-CERT researcher Will Dormann informed AVG of his findings several weeks ago. AVG's update went live June 1, more than a month before Dormann authored US-CERT's report.