AVG ‘Secure’ Search Toolbar Vulnerable to Most Ironic Attack Yet

On Monday, the US Computer Emergency Response Team (CERT) issued a warning for all users of the AVG anti-virus software suite that the company’s browser protection program, the AVG Secure Search toolbar, was vulnerable to outside attacks.

The hole exists in an ActiveX control that the unfortunately named bloatware would use to install itself on top of the Internet Explorer UI, as many products in this category tend to do whether you want them to or not.

By packaging itself with various software downloads and installers, the toolbar is able to find its way onto millions of machines that might otherwise shun its services in favor of a more reputable, and more secure, method of web surfing protection.

Once the path of approach was established, from there all it takes is a standard phishing attack for a hacker to gain full access to IE’s valued “sandbox mode”, wherein user authentication and credential verification go out in the window in favor of early-stage software testing and about as much internal flexibility as the browser is able to offer.

Researcher for CERT Will Dormann was quick to condemn AVG for the obvious slip up in his initial writeup about the problem:

“AVG Secure Search is a toolbar add-on for web browsers that…provides an additional security layer while searching and surfing to protect you from infected websites. One of the components provided by AVG Secure Search is an ActiveX control called ScriptHelperApi, which is provided by ScriptHelper.exe. This ActiveX control is marked as Safe for Scripting in Internet Explorer, which means that the author has determined that the control cannot be repurposed by an attacker. Because this control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template, this means that any website can invoke the methods exposed by the ScriptHelper ActiveX control.”

Not only was the bar itself lacking in the security department, but apparently the method it used to hoist itself into a user’s browser left unkempt elevation privileges scattered about the source code, several of which could later be exploited by hackers who have already used the ActiveX weakness to find their way into the machine in the first place.

“The installer for AVG Secure Search also sets the ElevationPolicy registry value for the control, which means that the control is excluded from the Internet Explorer Protected Mode sandbox. The installer for AVG Secure Search sets the Preapproved registry value, which bypasses the Internet Explorer ActiveX Opt-In feature that was introduced with IE 7.”

For now the exploit only affects versions of the toolbar configured for Internet Explorer 7 and above, and AVG was kind enough to deploy a hotfix for the issue which should shore up user’s defenses until a more permanent solution can be implemented at a later date.

If you still aren’t convinced the patch is enough, another simple solution to avoid the problem altogether is to disable the AVG ScriptHelper ActiveX control in IE’s settings, although this task could prove a bit more complicated for the less-than-savvy amongst the browser’s admittedly low-tech user base.