12.07.2014, 07:28
Przyzwyczajenie jesteśmy do tego, że paski narzędziowe do przeglądarek, rozwijane przez znanych producentów zabezpieczeń, powinny nam oferować realne funkcje i realną ochronę...nie do końca tak jednak jest, czego przykładem był wielokrotnie potępiany pasek Aviry, a kolejny mamy teraz. Okazuje się, że znany iczęsto używany pasek produkcji AVG - AVG Secure Search - zawiera w sobie takie błędy i podatności, że naraża użytkownika na zdalne wstrzyknięcie kodu i w efekcie nawet na przejęcie kontroli nad jego maszyną.
Informację o wykrytych podatnościach opublikowano na stronach CERT...poniżej obszerny fragment
I słowa komentarza na stronach IDG Communications
Informację o wykrytych podatnościach opublikowano na stronach CERT...poniżej obszerny fragment
Cytat:Overview
The AVG Secure Search toolbar, also known as AVG Safeguard includes an ActiveX control that provides a number of unsafe methods, which may allow a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user.
Description
AVG Secure Search is a toolbar add-on for web browsers that "... provides an additional security layer while searching and surfing to protect you from infected websites." One of the components provided by AVG Secure Search is an ActiveX control called ScriptHelperApi, which is provided by ScriptHelper.exe. This ActiveX control is marked as Safe for Scripting in Internet Explorer, which means that the author has determined that the control cannot be repurposed by an attacker. Because this control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template, this means that any website can invoke the methods exposed by the ScriptHelper ActiveX control. The installer for AVG Secure Search also sets the ElevationPolicy registry value for the control, which means that the control is excluded from the Internet Explorer Protected Mode sandbox. The installer for AVG Secure Search also sets the Preapproved registry value, which bypasses the Internet Explorer ActiveX Opt-In feature that was introduced with IE 7.
The AVG Safeguard and Secure Search ScriptHelper ActiveX control versions up to and including version 18.1.6 contain a number of unsafe methods that can be used in Internet Explorer. Other browsers do not appear to be affected.
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to download and execute arbitrary code with the privileges of the logged-on user.
Solution
Apply an update
This issue is addressed in AVG Secure Search toolbar version 18.1.7.598 and AVG Safeguard 18.1.7.644. While these versions are still marked as Safe for Scripting, this version of the control has restrictions in place that prevent its use by web pages hosted by domains other than .avg.com or .avg.nation.com. Please also consider the following workaround:
Disable the AVG ScriptHelper ActiveX control in Internet Explorer
The vulnerable AVG ScriptHelper ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:
{F25AF245-4A81-40DC-92F9-E9021F207706}
[Aby zobaczyć linki, zarejestruj się tutaj]
I słowa komentarza na stronach IDG Communications
Cytat:Implementation issues with AVG Secure Search, a browser toolbar from antivirus vendor AVG Technologies that''s supposed to protect users from malicious websites, could have allowed remote attackers to execute malicious code on computers.
The toolbar, also known as AVG SafeGuard, supports Google Chrome, Internet Explorer and Mozilla Firefox running on Windows XP and later, and is often bundled as an optional installation with popular free software programs.
According to researchers from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, versions 18.1.6 and older of AVG Secure Search and AVG SafeGuard install an ActiveX control called ScriptHelperApi in Internet Explorer that exposes sensitive functionality to websites.
"This control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template," said Will Dormann, a vulnerability analyst at CERT/CC, in a security advisory published Monday. "This means that any website can invoke the methods exposed by the ScriptHelper ActiveX control."
Furthermore, upon installation, ScriptHelper is automatically placed on a list of pre-approved ActiveX controls in the system registry, bypassing a security feature first introduced in Internet Explorer 7 that prompts users for confirmation before executing ActiveX controls. It''s also excluded from IE''s Protected Mode, a security sandbox mechanism, Dormann said.
All these conditions make it possible for an attacker to execute malicious code on the computer of a user who has a vulnerable version of AVG Secure Search installed, if the user opens a specifically crafted HTML Web page, email message or attachment in Internet Explorer. The rogue code would be executed with the privileges of the logged-in user, Dormann said.
AVG fixed the security issue in AVG Secure Search 18.1.7.598 and AVG Safeguard 18.1.7.644 released in May. It''s not clear if the toolbar updates itself, so users should make sure that they download and install the latest version if they intend to keep using it.
AVG did not immediately respond to a request for comment.
[Aby zobaczyć linki, zarejestruj się tutaj]
