AVG Security Toolbar Vulnerability Puts IE Users At Risk

[HardOCP News]

If I'm not mistaken, I'm pretty sure security toolbars are supposed to do the opposite of this.

All these conditions make it possible for an attacker to execute malicious code on the computer of a user who has a vulnerable version of AVG Secure Search installed, if the user opens a specifically crafted HTML Web page, email message or attachment in Internet Explorer. The rogue code would be executed with the privileges of the logged-in user, Dormann said.

 

[Cerulean]

Say no to toolbars!

 

[Dekoth-E-]

Say no to toolbars!

This...One would think a "Security Company" would know better. One would think people would learn to quit installing these things...but..they don't.

 

[Deleted member 126051]

This...One would think a "Security Company" would know better. One would think people would learn to quit installing these things...but..they don't.

The thing is, "security" isn't a product. It's an ongoing process and a way of thinking. Product just helps it along.

The other thing is, you have millions of lines of code between the OS, drivers, browser, networking stack, add-on, etc. And they're all very temporally secure.

So, in the following configuration, it might be secure:

OS: Version 7.111.111.111
Browser: Version 29.223
AV (and add-on): Version 2014.1.2.3

But, a couple weeks later, after some updates:

OS: Version 7.112.184.199
Browser: Version 30.017
AV (and add-on): Version 2014.2.5.17

And now there's a nasty hole opened up in the code that allows Bad Things to happen.


Also, it's nigh-on-impossible to envision EVERY form of attack. Even for someone who's IN the secure code business. Even with the craziest "secure coding" mandates.

And the main thing, everything nowadays is so rushed it's not even funny.

This is the ultimate era of "ship and patch". Spending 6 months code auditing every product that comes through Q&A means that you essentially NEVER ship anything or ship it too late to actually do any good. And in an AV product, where (at LEAST) daily updates are EXPECTED?

Not apologizing for these guys. They fucked up.

But expecting 100% perfect product (when there's no such thing) from a company with those kinds of timelines, versus a security researcher/cracker who can take the time to fully dissect the product?

I'd say that's a bit on the unfair side.

 

[Suicidal Insanity]

Not exactly surprising, their email / network security module drops random packets of random TCP/IP connections and they aren't fixing it.

 

[Ashbringer]

I'm at a point where some of these anti virus programs are worse then the virus. To the point where I just don't run them anymore. Got tempted a few times to put Linux on my main rig and call it a day.

 

[sfsuphysics]

Yeah, having your virus scanner scan every page you look at... sure that's not going to bog down my browser at all.

 

[bucketlist]

Say no to toolbars!

NEVARR!!

 

[Dekoth-E-]

The thing is, "security" isn't a product. It's an ongoing process and a way of thinking. Product just helps it along.

The other thing is, you have millions of lines of code between the OS, drivers, browser, networking stack, add-on, etc. And they're all very temporally secure.

So, in the following configuration, it might be secure:

OS: Version 7.111.111.111
Browser: Version 29.223
AV (and add-on): Version 2014.1.2.3

But, a couple weeks later, after some updates:

OS: Version 7.112.184.199
Browser: Version 30.017
AV (and add-on): Version 2014.2.5.17

And now there's a nasty hole opened up in the code that allows Bad Things to happen.


Also, it's nigh-on-impossible to envision EVERY form of attack. Even for someone who's IN the secure code business. Even with the craziest "secure coding" mandates.

And the main thing, everything nowadays is so rushed it's not even funny.

This is the ultimate era of "ship and patch". Spending 6 months code auditing every product that comes through Q&A means that you essentially NEVER ship anything or ship it too late to actually do any good. And in an AV product, where (at LEAST) daily updates are EXPECTED?

Not apologizing for these guys. They fucked up.

But expecting 100% perfect product (when there's no such thing) from a company with those kinds of timelines, versus a security researcher/cracker who can take the time to fully dissect the product?

I'd say that's a bit on the unfair side.

I am well aware of all of that. I was commenting on the "Toolbar" as a practice. These things have never been secure, never will be secure and are generally one of the most invasive forms of malware out there. Yes I called it malware because that is exactly what it is. AVG as a "security" company should damn well know better. I don't expect a perfect product when it comes to AV, as I am well aware that would be unrealistic.

 

[GoodBoy]

Toolbars all suck. I have yet to come across one I would actually want to use.

They are malware.

 

[ccityinstaller]

NEVARR!!

I LoL'd..

 

[SticKx911]

Toolbars all suck. I have yet to come across one I would actually want to use.

They are malware.

The old google toolbar before browsers could decipher search from address. That was the last toolbar I kinda liked. Now I cringe when I do repairs on PC's that have more tool bars than browser space.

 

[hurleybird]

One would think people would learn to quit installing these things...but..they don't.

I don't think anyone intentionally installs them.