back to article Google probes AVG Chrome widget after 9m users exposed by bugs

Google has banned AVG from automatically installing its Web TuneUp Chrome extension – after the widget wrecked the online security of nine million people. Tavis Ormandy, a Google Project Zero researcher who has been auditing antivirus software, found the extension was riddled with vulnerabilities. Web TuneUp is installed with …

  1. Christoph Silver badge

    Oh dear. Pissing off Google's techies is not a survival oriented action!

    1. js1592

      Nor is using AVG in general...

      1. Anonymous Coward
        Anonymous Coward

        Hmmm

        Been using AVG for years and never had a problem. Obviously this part of the product was faulty until they fixed it but I've had a lot more trouble from certain other anti-virus vendors I could mention.

        It's also a bit rich coming from Google of all people!

        1. Anonymous Coward
          Anonymous Coward

          Re: Hmmm

          >Been using...

          Likewise. As an AV it's as good as any other but people are lazy and just accept a default installation which loads a pile of crap such as this web tune-up. Yes, it's optional but it's opt-out not opt-in. Go the custom installation route and just install the core AV module.

          At the moment such user behaviour is a raw nerve, I've just cleaned my sister-in-law's laptop for the umpteenth time and the number of tool bars and stuff that starts when the machine does and is set to auto-update had me climbing the walls.

        2. Halfmad Silver badge

          Re: Hmmm

          Most other companies that screw up in the AV field don't do so by leaking data or potentially opening up customers to MITM attacks, they release a messed up DAT file etc. This is a pretty major cock up in security by a firm which is meant to be trustworthy enough not to do exactly that.

          White knight and defend it until you are blue in the face, this is a major balls up.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hmmm

            You're missing the point. If I am defending anything it's the core AV and in fact I'm criticising the bundling of other products along with that. Web-tune up and the other add-ons are different products to the AV which should not be bundled together with it. Take the AV core alone and you'll find it hard to jump on the slag off bandwagon. However given you can't distinguish between unrelated add-ons and the core product I doubt you'll be able to escape crowd mentality.

    2. JCitizen
      FAIL

      AVG

      Friends don't let friends do AVG - I don't know how many of mine have trashed their computer using it. Using any other free AV is better.

  2. Turtle

    Relatives.

    "'Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users,' Ormandy told AVG's engineers in his security bug report."

    It's all relative. I don't consider Ormandy's to be a "harsh tone". To me, personally, a harsh tone would be "We're a-gonna kill your family and half a dozen of your relatives" whereas an appropriate and measured tone would be "We gonna kill you".

    1. BebopWeBop Silver badge

      Re: Relatives.

      That's just one sentence. What else did he say :-)

  3. AJ MacLeod

    It's a shame the way AVG seems to be heading steadily downhill. I always do a custom install and make sure to omit the web "tune up" component (I uninstall anything that claims to "tune things up" as a general principle - my experience is overwhelmingly that they make things worse)

    1. Crazy Operations Guy Silver badge

      I can't tell you how many times I've had to fix a machine because someone tried to optimize something or other. Most of the time, these optimization programs only have negligible effects on the performance, but more often than not, will just prevent the machine from booting now, or a few weeks down the line. I've made so much money off of undoing CCleaner's messes that I might jsut be able to quite my day job...

      1. Anonymous Coward
        Anonymous Coward

        >I've made so much money off of undoing CCleaner's messes

        I'd be interested to hear of a few examples.

        1. Crazy Operations Guy Silver badge

          Some of the more common messes I see:

          * Attempts to 'optimize' the registry resulting in corrupted files

          * removal of 'temp files' that were still in use

          * old update files that were removed, but a later rollback needed them (Particularly with beta versions of the .net framework as needed for some beta versions of games)

          * sometimes the load order of drivers will change causing systems with 3rd party disk encryption software to fail to load properly

          Most of the messes just cause applications to fail to load properly (Or put them into a loop of 'This application isn't installed, install now?' 'This application is already installed, installation failed' because it can't find specific registry keys but finds its files.

          IMHO, even the most remote risk isn't worth the possibility of increasing boot times by a few seconds or freeing up a even a few gigabytes of disk space.

        2. JCitizen
          Coffee/keyboard

          Me too!

          For hundreds of the computers I've worked on, including those hosed by AVG, it was usually CCleaner that helped put them back online!

  4. Danny 2 Silver badge

    IT Crowd

    I know I'm personally going to get blamed for this by about 32 of those 9,050,432 users.

    "But you recommended AVG to me and I trusted you!"

    I recommended it nearly two decades ago, let it go. Seriously, have you tried turning it off and on again?

    1. RIBrsiq

      Re: IT Crowd

      "Seriously, have you tried turning it off and on again?"

      Or, more specifically to AVG's case, turning it off and leaving it that way...?

      I mean, if one's willing to pay for an AV -- a sound and recommended investment, IMO -- there are really great ones out there. But for the price of free, nothing is much better than Windows Defender.

      Now, I'm not saying Windows Defender is any good, mind! I'm just saying most free AVs I tried are comparable to it.

      1. Bitbeisser

        Re: IT Crowd

        AVG was good back in the Windows XP days, but ever since they started to support (or not) Windows 7 and later, they have gone downhill pretty fast, including installing all that additional web$h!t that doesn't work any better than a little bit of common sense (ok, I know, a rare commodity these days).

        But as far as Windows Defender goes, well, it does something. If that is any good, I am not so sure, there ARE free anti-virus solutions out there, like Avast, that do a MUCH better job, though they also started to go down that dark rabbit hole of trying to install all kinds of crap that is of no use (how do they dare to tell me which programs on my PC are unnecessary for example)...

      2. Dan 55 Silver badge

        Re: IT Crowd

        The only virtue Windows Defender has is it doesn't nag which is quite out-of-line with the rest of Windows. The defending itself isn't actually very good...

        https://www.av-test.org/en/news/news-single-view/protection-for-windows-81-24-security-packages-put-to-the-test/

        1. RIBrsiq

          Re: IT Crowd

          "The defending itself isn't actually very good".

          Yes.

          If someone held a gun to my head -- or any other body part, really -- and forced me to say something positive about it the best I could come up with would probably be "It's better than nothing, I guess...".

          Seriously: buy a proper AV suite with a good firewall. It's extremely unwise not to.

          1. jason 7 Silver badge

            Re: IT Crowd

            Windows Defender for the general virus/trojan stuff.

            EMET on max settings for the Zero Day stuff.

            Unchecky for the adware/installer stuff.

            AdBlock/NoScript etc. for the web stuff.

            Cryptoprevent for the Cryptolocker stuff.

            Well its what I use mainly. Big bonus is none of it is nagware or shoutware either!

            1. JCitizen
              Coffee/keyboard

              Re: IT Crowd

              @jjason 7 - substitute the free Malwarebytes Anti-Exploit utility for EMET, and run as a limited user, and you got a pretty good line up. I would include Secunia PSI to alert to vulnerabilities, and File Hippo's Application Manager to help keep your apps updated before zero day.

              1. jason 7 Silver badge

                Re: IT Crowd

                Yeah didn't like the Malwarebytes version as much as EMET. And Secunia just gets really annoying after a while. I make do with a ninite update script icon to run every couple of weeks to make sure most of my stuff is up to date.

                Both worth using, I just don't like them personally.

  5. a_yank_lurker Silver badge

    Flash now AVG

    Is AVG feeling lonely and wanting to cozy up to Flash as the most unloved couple on the planet? Maybe they both should be banned.

  6. RIBrsiq

    IMO, no browser extensions should be allowed to install automatically as part of anything. Or, indeed, install at all.

    1. Ambivalous Crowboard

      Re: "no browser extensions should be allowed to install automatically"

      Absolutely. Have we not been here before? Many, mamy times, and many moons ago, with things with shitty IE plugins that trash your online life?

      Speaking as an IT admin that loves it when silent installs are possible, they are also simply disasterous for home users with vendors and the likes pushing what they think is best into other people's systems. If your users can't be persuaded to click a "Yes" box by your shitware, then perhaps fix your shitware.

      1. AustinTX

        Re: "no browser extensions should be allowed to install automatically"

        As usual, as always, you give a business a little leeway, and they try to take over. And they're at least a little bit accountable. Imagine what the unaccountable agencies, who insist that you let them keep their loving eyes on you at all times, are up to?

    2. Test Man

      I thought that Chrome extensions/addons weren't allowed to install via anything other than the Web Store?

    3. Anonymous Coward
      Angel

      Except for AdBlock which should be built in

  7. thomas k

    Bug?

    Or feature?

  8. Anonymous Coward
    Anonymous Coward

    AVG, the new McAfee.

    1. NotBob
      Trollface

      But without the lovable mascot to sell them off and then entertain the masses

    2. JCitizen
      Megaphone

      Oh gawd!

      I forgot about McCr@ppy! Don't let any of your friends or clients near either of them!

  9. Amorous Cowherder

    AVG has always been a piece of cack, up there with Norton Security, a bloated system hog with a zero credibility and now a liability to boot.

    1. JCitizen
      Coffee/keyboard

      Actually worse...

      Norton is not as bad as it used to be, but I sure would not pay money for it - AVG is much WORSE!

      After reading a news item about AVG issuing bad updates, I got a call from two clients that their machines were hosed so badly they had to send them in to the factory to be repaired!

  10. King Jack
    Big Brother

    Short Memory

    Everyone seems to have forgotten their recent policy of selling user data to third parties. Other free anti-virus do not (yet).

  11. Timmy B Silver badge

    As others said... it used to be good.

    I stopped using it a couple of years back. A bit sad really as it used to be one of the best. They are now added to Norton in the not with a barge pole pile.

  12. Anonymous Coward
    Anonymous Coward

    is it rather chrome issue ?

    With all honesty it rather sound like chrome issue and its API to allow to plugin insecure plugins rather than the plugin itself- have good security controls in place and by fefault u will have no problems like that

  13. Chika

    Firefox

    I just noticed that the one machine that I have that uses AVG has had the same tool added, but this time on Firefox. I'm not totally convinced that this is wholly a Chrome issue, especially if this tool is installed without prior permission, a bit like the cloud tool on Foxit Reader.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019