AVG 2011 Bug Affects Browsing Experience, Could Also Hurt Websites

A serious bug in a component of the new AVG 2011 anti-malware products causes computers to flood websites with unnecessary HTTP requests and in many cases prevents users from properly using their browsers.

At this time the problem is not very well documented, but reports about it, dating back to the end of last month, can be found on various forums and discussion groups around the Web.

It appears that the bug is located in the LinkScanner component, which is found in the entire AVG 2011 product line, including the company's popular free antivirus.

LinkScanner has two features. One called Search-Shield, which places safety ratings next to search results and another one called Surf-Shield, which checks pages in real time.

"AVG Surf-Shield actively checks web pages in real-time every time you click a link or enter a web address directly into your browser," the company explains.

As it turns out, this is done by adding a script element to the very beginning of every HTML page rendered inside the browser. This element loads a local JavaScript file called avg_ls_dom.js.

<script src="/A2EB891D63C8/avg_ls_dom.js" type="text/javascript">

The use of a relative path used suggests that AVG positions itself between the browser and the website in order to intercept the request and serve the .js from a local source.

The script is injected in a non-standard way, right after the document definition and outside of the <head> element, where such resources are normally defined.

This technique is most likely used to ensure that avg_ls_dom.js is loaded before any other script possibly injected by attackers into the original page.

The JavaScript code inside the file is supposed to create a buffer with the content of the page and submit it via POST to another relative URL called /CC0227228D62/CheckData.

httpRequest.open("POST", "/CC0227228D62/CheckData", false);

httpRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");


This request should again be intercepted by the AVG module, which should inspect the code and give the go-ahead to display the page or tell the script to throw an error instead.

However, it seems that a bug causes the proxy-like component to let requests through and get sent to the server from where the page was loaded.

As a result webmasters will see requests of the form: <source_ip> - - [12/Oct/2010:00:06:32 -0400] "POST /CC0227228D62/CheckData HTTP/1.1" 404 5486 "http://<url>" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20100722 YFF35 Firefox/3.6.8" (27)

This is a form of HTTP hammering and its impact will depend on how many users with AVG 2011 access a particular site.

Our own data suggests that occurrences have increased during the past few days and the requests are being sent from IE, Firefox, Chrome and Opera.

However, end users are most affected in all this, because their browsers will open tens or hundreds of connections in the background and will become unresponsive.

Reports suggest other usability issues as well. For example, users not being able to use certain features on legit websites like YouTube, or the IE7 compatibility mode being broken for IE8 users.

According to a topic on the French AVG support forum, the company is aware of at least some of these problems and is working to resolve them.


Photo Gallery (2 Images)

Gallery Image
Gallery Image

Hot right now  ·  Latest news