This site may earn affiliate commissions from the links on this folio. Terms of use.

AVG-WebTuneUP

AVG Antivirus has been a popular security suite for more than a decade. The company claims more than than 200 million active devices, including 100 million mobile installations. Over the past few years, the visitor has come under increasing fire for installing its AVG SafeSearch toolbar without permission, and announcing that information technology would sell consumer data to advertisers. Now, the visitor may accept finally gone too far, thanks to an enormous problems in its AVG Spider web TuneUp software that fundamentally bankrupt security for Google Chrome users.

avg_web_tuneup

The AVG Web TuneUp extension

On December 15, Google Security researcher Tavis Ormandy filed a bug written report with AVG, noting that the software:

"[A]dds numerous JavaScript API'south to chrome, manifestly so that they can hijack search settings and the New Tab page. The installation process is quite complicated so that they can bypass the Chrome malware checks, which specifically tries to end corruption of the extension API."

Ormandy followed upward the bug report with a self-described angry email sent directly to AVG. In information technology, Ormandy writes:

"I'thousand really not thrilled about this trash being installed for Chrome users. The extension is and so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [potentially unwanted program].

However, my business organization is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page.

There are multiple obvious attacks possible, for case, here is a trivial universal xss in the 'navigate' API that tin can allow whatever website to execute script in the context of any other domain." (The relevant code samples can be viewed at the initial bug report.)

AVG released a broken patch for the trouble on Dec 19, which Google promptly rejected. The company revised its patch once again, but every bit of Dec 28, Google is reviewing the extension to determine if AVG will be immune to offering it at all.

A review of the well-nigh recent anti-virus comparisons at AV-Comparatives shows AVG's anti-virus performing at the top of the heap. The aforementioned cannot exist said, however, for the foistware that the company has taken to pushing at its users. A litany of user complaints have erupted in contempo years, most of which say the same things: AVG'due south supplementary software — Web TuneUp, SafeSearch, and the similar — are security disasters and rampantly disliked.

AVG's privacy policy

The fact that the company now wants to sell consumer data (the information in a higher place is from AVG itself) may just be the final straw for many users. AVG has traded actual due diligence for pushing users towards products that don't part while selling the data of its userbase.