
AVG: “Web TuneUP” extension multiple critical vulnerabilities - pfg
https://code.google.com/p/google-security-research/issues/detail?id=675
======
nephyrin
So:

\- Anyone with this extension installed could be trivially owned by any
website.

\- AVG's initial fix was to incorrectly whitelist their own domains without
requiring SSL.

\- The follow up fix (after more harsh words from google) whitelists the AVG
domain with SSL. Google engineer points out a obvious XSS on the domain that
would again allow any chrome user to get owned.

This is a _security_ extension from a _security_ vendor. No words.

~~~
ikeboy
Why is Google publishing this before the XSS has been fixed? Shouldn't they
wait for further response from AVG?

~~~
brazzledazzle
If I had to guess: because at this point it's obvious that they have no idea
what they're doing and will struggle to not just fix it, but maintain the
level of quality needed to keep it that way.

~~~
ikeboy
Then tell AVG that. I've seen plenty of bugs where the original fix didn't fix
everything, and the reporter explains why, and then they wait for another
response. Here they didn't even keep the 90-day deadline.

~~~
uxp
> I've seen plenty of bugs where the original fix didn't fix everything

You're right, but plenty of bugs aren't for a browser extension that is
supposed to enhance the user's security when browsing the internet. The
initial fix appeared to show a complete lack of understanding of basic web
security.

If you and an intelligent coworker have an agreement to review each other's
code on commit, and that coworker responds to a valid complaint about what
they've written with something that's probably lifted off of the first
StackOverflow post they searched for that addresses the literal value of the
complaint without actually solving the problem, you'd probably be a bit peeved
that they're not doing their job. Here, the Chrome developers are just showing
frustration at AVG's apparent lack of basic skill.

~~~
ikeboy
Frustration is fine. I'd even be fine if they banned AVG. But revealing a
0-day publicly without giving time to respond is worse, and is also not in
line with Google's policies as I understand.

Many security bugs are for things that one might think are basic after hearing
about them, and that shouldn't make it right to 0-day them.

edit: why would revealing a vulnerability to the world before it's been fixed
be the right response to incompetence on the part of the vendor?

~~~
brazzledazzle
Regardless of policy it was the right thing to do.

~~~
ikeboy
Do you think 0-days should be reported as soon as they're found if the vendor
is incompetent? If yes, what's the argument, if not, why is this different?

~~~
tptacek
When you find critical vulnerabilities in popular antivirus software, you can
establish a 90 day publishing schedule, or a requirement not to publish until
all related vulnerabilities are fixed, or whatever other policy you deem
sensible.

Tavis Ormandy is one of the best known vulnerability researchers in the world;
whatever publishing decision he and his team made, I think they probably put
more thought into it than any combination of the comments on this HN thread
did.

~~~
ikeboy
It sounds like you're saying he's above criticism for some reason related to
fame? That doesn't make sense to me.

If there are details I don't know about that explain it, fine (but it doesn't
look like that from what I do see) but arguments over ethics shouldn't be won
by appealing to authority.

I might place more stock in your point here if he'd actually given a reason
and acknowledge that he's opening up users to exploits, and say it's worth it
because of X. As is it doesn't look thought out at all.

~~~
tptacek
I'm suggesting that the implication you're generating all over this thread
that (a) there are hard-and-fast rules for disclosure and (b) Tavis Ormandy
has somehow broken them is probably built on something other than firsthand
knowledge of how vulnerability research works --- to say nothing of firsthand
knowledge of how this particular vulnerability was handled.

~~~
ikeboy
Google does have a policy not to release within 90 days unless a patch is
released, and this does seem to be pointing out a vulnerability that hasn't
been patched. What am I getting wrong? Am I misunderstanding something?

Separately, even if they had no such policy or it was an independent
researcher, I don't think discussing the ethics of disclosure should be off
bounds by someone not directly involved.

------
djsumdog
If I have a windows machine or VM, I simply don't run anti-virus. There's no
point. At Kiwicon last year, some French researcher showed how most anti-virus
scanners were so badly written, he could exploit their scanning engines with
basic malformed PDFs and JPEGs. Most of those scanners run as the SYSTEM user,
so you basically can control a system with a PDF.

...but I hesitate to tell non-developers to uninstall their anti-virus. I
don't want to be responsible for them getting exploited, but I usually do tell
them why I don't run anti-virus and that the choice is up to them.

I always emphasize the biggest thing you need to do as far as security goes is
to run all updates. Never skip or delay updates. The moment Chrome/FF wants
you to restart, you restart them. Run Windows update (even though Windows 10
is another beast/debate entirely, if you chose to run it, you should run
updates).

~~~
kbenson
I generally try to get whatever anti-virus/malware Microsoft is offering, if
not already bundled. There are way less perverse incentives at play, and if
I'm running windows and worried about MS having extra info about what I'm
doing... well, that boat has sailed. Anything I truly want separated from my
identity (browsing wise), I use a VirtualBox instance running Linux. Even then
I'm sure it's associated with my identity through IP address alone, but at
least it may be seen as someone else at the same location if I'm lucky.

~~~
rplnt
> There are way less perverse incentives at play

Then again, they have less incentives to make a good AV. And it shows. But
it's definitely better than nothing. And it's finally installed and on by
default.

~~~
Klathmon
Can you explain this? Why would Microsoft have less incentives to make a good
AV for their OS?

~~~
rplnt
It's not their business, it doesn't make them money. They don't need to be
competitive. They do what they need to do to protect their users (from
clogging their hotline). I don't mean to say they do poor AV on purpose (or
that it's poor in the first place). They just don't invest that much in it and
as a result the protection is on a different level when compared to other
major AVs.

~~~
kbenson
> It's not their business, it doesn't make them money.

They used to think this. They got such bad press for a buggy, exploitable OS
that it cost them quite a lot.

> They don't need to be competitive.

The OS needs to be competitive, and I think you're mistaken if you think the
AV team at MS doesn't work tightly with the OS team, if they're in fact
different.

> They just don't invest that much in it and as a result the protection is on
> a different level when compared to other major AVs.

At a different level because they don't put a bunch of crap on top of the OS
which in most cases is really just a placebo? MS running a traditional AV
division would be the height of stupidity. They are the OS vendors. Their
fixes should be structural, not scaffolding.

------
Animats
Something called "Web TuneUP" just screams crapware. It sounds like one of
those browser toolbar things advertised via flashing banner ads that hijack
your browser.

A company that bundles something like that is no longer credible as a security
vendor.

------
cpeterso
AVG's CEO, Gary Kovacs, was formerly CEO of Mozilla. There must be a strong
cognitive dissonance field surrounding AVQ's corporate headquarters to publish
this level of "security" software.

~~~
yuhong
I wonder if anyone at Mozilla have a current contact.

------
dendory
I remember using AVG many years ago when it was a decent product. I recently
had the displeasure to have to install it again. AVG Free right now is
malware, plain and simple. It highjacks your home page in every browser,
changes your search page, and silently installs an extension. And if you go
and switch the home page back, it shows you a popup asking you to set it back
to AVG. This is pure malware behavior.

------
modeless
Can a class action lawsuit be started to deal with this sort of criminal
incompetence?

------
georgemcbay
I'm primarily a Windows user on the desktop/laptop side (though I do also use
a lot of Linux/Unix/embedded systems) and my advice to everyone who asks (as
the token 'IT advice guy' to lots of friends and family) is just don't install
anti-virus software. Modern Windows is better off without it. As far back as
XP the best option was to install Microsoft's own Windows Defender and
uninstall everything else, now just use what the OS already comes with.

Microsoft's goal with virus elimination is to make Windows work better, 3rd
party vendor's goals with virus elimination are to upsell you on a lot of crap
you don't need. It isn't difficult to see why the 3rd party stuff is all a
bunch of crap that floods you with false positives while bogging your system
down in an attempt to seem like it is doing something useful.

Yes, there are occasionally exceptions to the rule, but they all eventually
follow a logical progression from useful lightweight tool to bloated piece of
shit that is worse than most viruses they could possibly save you from.

------
guelo
At one point it looked like Microsoft was going to kill the scammy Windows
"security" industry by releasing their own anti-virus. But then they backed-
off and now MSE seems to be purposefully curtailed.

~~~
gvb
MSE was absorbed into Windows Defender in Windows 8 & 10\. I don't recall any
publicity from Microsoft telling their users this - I only know because I did
google searches on how to install MSE on Win8 which turned up the answer that
its already in there, just renamed.

In my experience, a _lot_ of people, including IT people who _should_ know,
have not gotten the message. There are a lot of people paying a lot of money
for crap snake oil when they could have free (arguably better) snake oil.

Ref:
[https://en.wikipedia.org/wiki/Windows_Defender](https://en.wikipedia.org/wiki/Windows_Defender)

 _In Windows 8, functionality has increased to offer antivirus protection as
well. Windows Defender in Windows 8 resembles Microsoft Security Essentials
and uses the same virus definitions._

------
ra1n85
I long stopped using AVG because their business model seemed to transition to
largely something predatory - browser bars, hijacked home pages, "tune-ups".

------
zump
Who the fuck would get something called Web TuneUP?

