For a long time now, any application you chose to install on your computer was likely to come bundled with additional applications as part of the install process. There’s various names for this kind of application install approach, some considerably less polite than others. For the most part they rely on you being either too keen to get to the app you actually want to install, or wowed by the seemingly generous offer to uncheck the “install this app” checkbox or deselect a radio button as part of the install process. Suddenly, you find yourself with an additional browser toolbar, or a homepage you never wanted, or another application just taking up space on your PC.
If you’re curious, the reason why these applications get bundled almost always comes down to money changing hands. Not huge sums for the most part, but even if you only got a single cent for every additional bundled install, if a million or more users took up your app, that would quickly add up.
Bundled annoying apps are one thing, but it’s an entirely different situation when an application you’re installing has add-on modules that seem to extend the utility of the core application, but turn out to be rather more problematic. That’s the issue that AVG recently found with an application it bundled with its AVG Security software. AVG Web TuneUp is a Chrome extension designed to protect you against malware and web tracking against your will, which sounds, on the surface of it, to be a noble aim and an extension worth installing.
The problem, as discovered by Google researcher Tavis Ormandy was that Web TuneUp installed itself in a way that bypassed some of Chrome’s own internal malware checking. It’s not uncommon for different security packages to not play nicely together, but the real problem that emerged was that in doing so, it opened up several avenues for other genuine malware and identity theft attacks, some of which were apparently very trivial.
If you’re using AVG Web TuneUp, you don’t immediately have to panic as long as you’ve kept it updated, because AVG’s issued updates that fix the most egregious flaws, and it’s pretty clearly going to be going through its code line by line and character by character to try to expunge any other errors before they’re located and lead to any kind of system compromise. It still doesn’t look good for a security software provider to trip up this way, although it’s also a reminder that software is written by people, and people are fallible. For its part, Google’s removed the ability for AVG to have Web TuneUp as part of an inline app install of the primary AVG software, pending review, so the main AVG packages should also be safe for now.
The broader lesson this highlights is that you should consider every choice you’re given when you install any new piece of software. If you’re offered a “free” extension application, pause for a second — your install really will wait for you — and do a little online research about that application. If it’s already available as a free app anyway, there’s no benefit to you directly installing it right away anyway, and there may be competitor apps that offer the same or better experiences. Equally, if your research unveils numerous user complaints, whether at a security or nuisance level (as with many web toolbars), you can easily dodge a pain point later on down the track. Ultimately it’s your computer to install applications on, and the final, hopefully informed decision should be yours.