AH AVG-2

Irony Report: AVG Had Sketchy Chrome Extension

December 30, 2015 - Written By Daniel Fuller

You may be familiar with AVG Antivirus, a free antivirus program that’s been around in some form or another since 1998. A powerful early competitor to the emerging antivirus industry, AVG evolved with the times fairly well and can now be found for free on the web, with more powerful pro versions available, and on mobile devices. AVG even began packaging a Chrome extension that was meant to give users a bit of extra peace of mind on the web by detecting and stopping attacks before they reached a user’s computer. This addon came at a small price, allowing AVG control of a user’s startup page and search bar, most likely for ad purposes or to allow fixes after malicious hijacking of the same.

Thing is, this little bit of control handed over to AVG had an enormous hole. For starters, it installed itself and took control by literally circumventing Chrome’s built-in security. On top of that, because the extension didn’t check who code was coming from, any attacker could utilize that hole to inject code into a webpage and execute it on the machine. AVG’s assumption that they were the only ones who would know about this proverbial open window wound up drawing the ire of a wide range of users. The exploit could possibly have even led to remote code execution and total control by the attacker. A few users on Google Code banded together to explore the security hole and make sure AVG got around to fixing it.

After one unsuccessful patch attempt, AVG did manage to get it fixed in a hacky sort of way by implementing a security checkpoint of sorts, but the extension effectively breaks some web content in doing so. Sadly, this is far from the first or last time that antivirus makers will make mistakes in their software, fail to keep up with hackers or just plain leave security holes wide open. AVG still comes with the extension, but it should no longer be a security risk. This issue should not affect users of most other browsers at all, but best practice is to always keep your guard up on the web and never place full trust in any software, even that which your device ships with.