LOGO

Antivirus Browser Extensions: A Security Risk?

January 26, 2016
Topics:FeaturesExplainersWindows 10
Antivirus Browser Extensions: A Security Risk?

The Hidden Costs of Antivirus Browser Extensions

A significant number of antivirus programs, frequently marketed as "security suites," actively encourage users to install accompanying browser extensions.

While these toolbars are presented as tools to enhance online safety, their primary function is often revenue generation for the antivirus company.

Unfortunately, these extensions frequently exhibit substantial security flaws, rendering them susceptible to malicious attacks.

Rebranded Toolbars and Search Engine Redirection

Many antivirus toolbars are essentially rebranded versions of the Ask Toolbar extension.

Installation typically results in the addition of a toolbar to the browser, alongside alterations to the user's default search engine and homepage settings.

These changes are often framed as providing a "secure" search experience, but are primarily designed to generate income for the antivirus provider.

Potential for Unintended Consequences

In certain instances, these extensions extend beyond simple revenue-generating tactics, and can lead to unforeseen and potentially harmful outcomes.

The functionality of these extensions can sometimes have unintended consequences, impacting browser performance or user privacy.

It's crucial for users to be aware of these risks before installing any antivirus-related browser extension.

AVG Web TuneUP: A Chrome Security Risk

The installation of AVG antivirus software often includes the "AVG Web TuneUP" extension. This extension, boasting almost 10 million users according to the Chrome Web Store, is advertised as a tool to identify and warn against unsafe search results.

Security Flaws Discovered

In December, Tavis Ormandy, a security researcher employed by Google, identified significant issues within the extension. He found that it introduces a substantial number of new JavaScript APIs to the Chrome browser.

These newly added APIs were determined to be fundamentally flawed. The extension’s design inadvertently exposed users’ complete browsing history to any website visited.

Potential for Arbitrary Code Execution

Beyond the privacy concerns, the extension created multiple security vulnerabilities. These vulnerabilities allowed websites to readily execute arbitrary code on computers with the extension installed.

Ormandy directly communicated his concerns to AVG, stating that their security software was actively disabling web security features for a vast number of Chrome users. He suggested this was done to manipulate search settings and the new tab page.

Patch Attempts and Further Issues

Following the report, AVG released a patch within four days. However, Ormandy quickly determined that this initial fix was inadequate and demonstrably incorrect.

He subsequently provided detailed instructions to AVG on how to properly address the flaw. A revised patch was then issued by AVG the following day.

Limited Fix and Ongoing Vulnerabilities

The updated fix limited the extension’s functions to only two specific AVG domains. However, Ormandy pointed out that these domains themselves contained vulnerabilities, still exposing users to potential attacks.

Concerns About Development Practices

The situation highlighted serious concerns regarding AVG’s development processes. The initial release contained demonstrably insecure code, and the developers required direct assistance from a Google security researcher to rectify the issues.

It is hoped that a separate team manages the development of the core antivirus software. This incident serves as a cautionary example of how antivirus browser extensions can transition from being ineffective to actively detrimental.

Key takeaway: Browser extensions bundled with antivirus software can introduce significant security risks.

The Security Paradox: Why McAfee and Norton Prefer Older Browsers

Microsoft Edge, designed for Windows 10, was created to be a more secure web browser compared to its predecessor, Internet Explorer. Its architecture incorporates a sandbox environment and eliminates support for outdated, vulnerable technologies like ActiveX.

Furthermore, Edge features a simplified code base and enhanced security measures. These include defenses against “binary injection,” a technique where malicious code is inserted into the browser’s process.

Antivirus Software's Counterintuitive Advice

Despite these advancements, McAfee actively discourages the use of Microsoft Edge. The software promotes Internet Explorer instead, and, with user permission, can modify the taskbar to prioritize Internet Explorer over Edge.

This behavior is directly linked to McAfee’s desire for users to continue utilizing their browser extension. The extension’s functionality is dependent on the older browser.

Norton exhibits similar practices, advising users to employ a “supported browser” such as Internet Explorer on Windows 10 systems. This recommendation also centers around maintaining compatibility with their browser extension.

The Security Trade-off

Even assuming the antivirus browser extensions provided some security benefit – a claim that is debatable – the inherent improvements in Microsoft Edge offer a superior level of protection.

Prioritizing older browsers for extension compatibility ultimately compromises overall system security. The benefits of Edge’s modern security features are bypassed.

Future Compatibility and Resolution

Fortunately, Microsoft Edge is slated to gain support for extensions compatible with Chrome.

Once this functionality is implemented, McAfee and Norton will be able to offer their browser extensions to Edge users without requiring them to revert to the less secure Internet Explorer. This will resolve the current conflict between antivirus software preferences and browser security.

Avast's Online Security Extension and Prior Advertising Practices

Previously reported, the installation of the primary Avast security software suite also introduces an "Avast! Online Security" browser extension.

A feature called "SafePrice" was subsequently integrated into this extension through an update.

Functionality of the SafePrice Feature

This feature was activated by default and presented users with online shopping suggestions while they navigated the internet.

These suggestions functioned as advertisements, potentially generating revenue for Avast through user clicks.

To facilitate this, a unique tracking identifier was assigned to each user.

Every webpage visited was then transmitted to Avast’s servers, linked to this individual identifier.

Essentially, Avast monitored all user web browsing activity and leveraged this data to display targeted advertisements.

Fortunately, Avast ultimately discontinued SafePrice within its primary browser extension.

However, this incident demonstrates a clear inclination among antivirus companies to utilize their "security" extensions as a means of accessing extensive browser data.

The primary goal appears to be displaying advertisements or "product recommendations," rather than solely focusing on user security.

Antivirus extensions can sometimes compromise user privacy for financial gain.

Beyond Extensions: The Need to Disable Other Browser Integrations

Browser extensions aren't the sole source of potential security vulnerabilities. Various other browser integrations can also introduce risks. Many antivirus solutions seek to analyze all network activity, but face a challenge with encrypted connections – those used for secure access to services like email, online banking, and social media platforms.

Encryption is designed to ensure privacy by making network traffic unreadable. To circumvent this, certain antivirus programs employ a "man-in-the-middle" (MITM) technique. This allows them to inspect data even within encrypted connections. These methods function similarly to the Superfish adware, substituting certificates with those belonging to the antivirus software. A detailed explanation of Avast’s practices can be found on the Malwarebytes blog.

SSL Interception and its Risks

Typically, this functionality is implemented within the antivirus program itself, rather than as a browser extension. However, it’s crucial to consider it nonetheless. For instance, Avast’s SSL interception code contained a significant security flaw that could be exploited by malicious servers. Security researcher Tavis Ormandy highlighted this issue, stating the need for even basic code review before release.

This vulnerability underscores a critical point: security companies, like Avast, should proactively identify and resolve such issues before distributing software to users. Ormandy further explained that this type of MITM code expands the browser’s “attack surface,” providing additional avenues for malicious websites to compromise user security.

Weighing the Risks and Benefits

Even with diligent development, features that modify browser behavior introduce considerable risk for limited benefit. Modern web browsers already incorporate built-in anti-malware and anti-phishing defenses. Furthermore, search engines, including Google and Bing, actively work to identify and block access to dangerous websites, offering a layer of protection.

  • Antivirus Integration: Can create security holes through SSL interception.
  • Man-in-the-Middle Attacks: Allow monitoring of encrypted connections, but increase attack surface.
  • Browser Security Features: Modern browsers offer robust built-in protection.
  • Search Engine Safety: Search engines actively identify and block malicious websites.

Therefore, carefully evaluating the necessity of these integrations is essential for maintaining a secure browsing experience.

Disable Unnecessary Features for Enhanced Security

It's important to recognize that many browser extensions offered by antivirus programs are, in fact, redundant.

A common claim made by these products is increased online security through the blocking of malicious websites and the identification of harmful search results. However, major search engines, such as Google, already incorporate these security measures as standard functionality.

Furthermore, modern web browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge have built-in phishing and malware protection. Therefore, your browser is already equipped to defend against many threats.

Consequently, regardless of the antivirus software you utilize, refrain from installing its associated browser extension. If an extension is already present, or was installed without explicit consent, navigate to the Extensions, Add-ons, or Plug-ins section within your browser settings.

Disable any extensions linked to your security suite. Additionally, if your antivirus program includes a "browser integration" feature that interferes with standard SSL encryption, it should also be deactivated.

Expert Recommendation: Windows Defender

Notably, security researcher Tavis Ormandy, known for discovering vulnerabilities in numerous antivirus programs, suggests Microsoft's Windows Defender as a viable option.

He characterizes it as "not a complete mess" and acknowledges the competence of its security team. While Windows Defender isn't without its limitations, it avoids the problematic practice of intrusive browser integration.

If you prefer an alternative antivirus solution beyond Windows Defender, you can still maintain a secure browsing experience without enabling its browser-specific features.

Your antivirus program can effectively protect you from malicious downloads and attacks targeting your web browser without these potentially detrimental integrations.

  • Disable browser extensions provided by your antivirus.
  • Check for and disable any conflicting "browser integration" features.
  • Consider Windows Defender as a less intrusive alternative.

Prioritizing a streamlined security approach, free from unnecessary browser extensions, can significantly improve your online safety.

#antivirus#browser extension#security#online safety#malware#privacy