14 DAY TRIAL // Added to the system as a third-party component when installing various software, the AVG Secure Search toolbar has been found vulnerable to executing arbitrary code by a potential attacker.
The purpose of the toolbar is to prevent users from landing on dangerous web pages and to ensure the protection of personal information.
It also features a component that allows the user to detect the websites that collect information about their browsing and to block the components of a page which track the browsing activity.
The U.S. Computer Emergency Response Team (CERT) issued an alert on Monday that warns about insecure methods provided by AVG Secure Search ActiveX controls.
Among the components present in the toolbar is an ActiveX control called ScriptHelperApi, which is provided by ScriptHelper.exe.
“This ActiveX control is marked as Safe for Scripting in Internet Explorer, which means that the author has determined that the control cannot be repurposed by an attacker. Because this control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template, this means that any website can invoke the methods exposed by the ScriptHelper ActiveX control,” says Will Dormann in a blog post.
The Internet Explorer Protected Mode is also helpless in alerting of nefarious activity, because the control is added with the Elevation Policy registry value during the installation process of the toolbar.
Protected Mode in IE is designed to prevent the installation of malware on computers via Microsoft’s web browser. It warns users when software is offered for download on web pages, and an alert is issued when programs attempt to run outside the browser, which would give them access to sensitive areas.
The risk involved is that a potential attacker can lure a victim to click on a maliciously crafted link to download and execute code on the machine with the same privileges as the logged-in user.
AVG Secure Search is a popular tool among Windows users, and given that it comes from a reputed antivirus vendor, trusting it is taken for granted.
The vendor has been notified of the glitch and issued an update for the toolbar, which restricts its usage by other domains than those administrated by AVG (avg.com or avg.nation.com).
The safe version of the toolbar is 18.1.7.598, and users are urged to perform the update as quickly as possible. At the moment, there is no information about the vulnerability being exploited in the wild.