It's never good when software that's designed to keep you safe puts you at risk instead. That's what happened with a free Chrome plug-in produced by AVG AntiVirus. Turns out, AVG's security software "Web TuneUp" actually had a big security flaw.
Web TuneUp works like this: When a user visits a site, the Web address is sent to AVG's servers to check them against a database of known malicious sites. However the way the plug-in was constructed meant that information could be easily exploited by a hacker using what's called "cross-site scripting."
On December 15th, a Google Security researcher named Tavis Ormandy exposed the issue in a discussion forum. Of the issue, he wrote, "Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users. The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP."
PuP, of course, is geek speak for spyware, adware or some other type of unwanted software. It's sometimes also referred to as a "barnacle."
Ormandy went on to say, "Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page. There are multiple obvious attacks possible."
In response, installations of the plug-in were stalled while AVG developers cranked out a quick fix. Later, AVG developed a more secure patch, and as of December 28th the issue was resolved.
But this story certainly reaffirms the struggles anti-virus software makers are having in the current market. With so many malicious sites and softwares out there, it's becoming more difficult for them to keep up. To protect yourself online, be sure to follow the advice found in the Komando Security Center.