When a user installs AVG AntiVirus, a Chrome extension called "AVG Web TuneUp" with extension id chfdnecihphmhljaaejmgoiahnihplgn is force-installed. I can see from the webstore statistics it has nearly 9 million active Chrome users.
This extension adds numerous JavaScript API's to chrome, apparently so that they can hijack search settings and the new tab page. The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API.
Anyway, many of the API's are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution.
In addition to the problems Ormandy described above, he also claimed that the first solution offered by AVG still left users vulnerable to so-called "man in the middle attacks." The researcher said, "...a network man in the middle can redirect a user to attack.avg.com, and supply javascript that opens a tab to a secure https origin, and then inject code into it. This means that a man in the middle can attack secure https sites like GMail, Banking, and so on. "
AVG's extension is ostensibly designed to provide a search safety tool, but also capturing revenue from routing search queries to its own pages. The company has a history of augmenting its core business of selling anti-malware solutions; a few months ago,
AVG updated its privacy policy to allow the company to sell a user's browsing and search query history to third parties.
Source:
Google Security Research via
Ars Technica
