When security products make systems less secure

Martin Brinkmann
Feb 6, 2016

There has been an increase in reports pf security products recently which make user systems less secure when they are installed, used or even just present on the system.

Many antivirus companies have added tools and products to their security programs in recent years to increase the perceived value of the product, add new features to them that users may find useful, and to add new revenue opportunities in form of custom search deals.

It is quite common for instance that companies deploy browser extensions on systems that change the search provider, new tab page or home page. Others have created custom versions of the Chromium browser to improve user security while the browser is being used, often calling these custom browsers secure or safe to indicate that.

Google started to analyze browser extensions and custom browsers recently and the results are quite disturbing.

The three custom Chromium-based browsers the company analyzed were found to weaken security instead of improving it.

The latest company that Google contacted about security issues found in their products is Avast. The company's SafeZone browser, based on Chromium, allowed attackers to read any file on the system by getting users to click on links.

chromium security issues

This worked even if users never used SafeZone, as data is automatically imported from a Chrome installation when the program is installed on the user system.

You don't even have to know the name or path of the file, because you can also retrieve directory listings using this attack. Additionally, you can send arbitrary *authenticated* HTTP requests, and read the responses. This allows an attacker to read cookies, email, interact with online banking and so on.

avastium vulnerability

The company released an update in the meantime that fixed the issue. SafeZone is secure if you have build number 2016.11.1.2253 or newer installed.

Avast is not the only company that has been reprimanded by Google for weakening user security. Just two days ago, it was Comodo and the company's Chromodo browser, also based on Chromium, that was shamed publicly by Google.

And before that, Google revealed vulnerabilities in products by AVG, Trend Micro, Malwarebytes, and several other products as well.

While there is certainly always the possibility that software programs have security vulnerabilities, some may find it a fair assumption that these add-on products and services do more harm than good.

What weights even more is that these security companies should know better, considering that security and keeping users safe is their business.

Some companies provide users with options to customize what is installed during installation while others don't offer these options at all. It is probably a good idea to block the installation of any add-on service, browser extensions or standalone browsers, considering the findings of the past couple of months.

When security products make systems less secure
Article Name
When security products make systems less secure
Security products by several popular companies were found to contain security vulnerabilities that make user systems less secure.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. avast said on March 23, 2016 at 5:40 am

    Avast forced installed that browser on user today

    And the representative said the users are ‘lucky’ to get that lol

  2. Pravin said on February 9, 2016 at 5:35 pm

    Avast was my first choice since year 2002. Then it became nothing but a spam. I completely removed it from Windows and Android also. Trust no one. Instead virus is better.

  3. Marti Martz said on February 6, 2016 at 9:46 pm

    Google has had it’s own walk of shames too in the past and present… do a search.

    Any time a third party is involved especially with closed source there is a higher risk of security and privacy issues. Networks of Trust and transparency should be established to maintain some semblance of digital serenity.

    Corrections to issues should be addressed professionally as well and preferably without name calling. e.g. abusive comments.

    Quote for today:
    “Judge Not Lest Ye Be Judged! and Let Him Who is Without Sin Cast the First Stone” * some theology rhetoric that has some good wisdom behind it :)

  4. D. said on February 6, 2016 at 8:14 pm

    I’m curious as to what all Google has looked at. Maybe we will hear more as time goes along.

    Very good Martin…thanks!

  5. S2015 said on February 6, 2016 at 6:27 pm

    Giant is giant: Google does the ability to archive its goals effectively — Mind your back (* backdoor – in someway, security holes = backdoors), as Google is looking at you (your holes) — LOL, just kidding!

  6. Maelish said on February 6, 2016 at 5:02 pm

    I’m curious to know if Epic Privacy Browser is as safe as they say. Has Google looked at them yet?

  7. juju said on February 6, 2016 at 1:00 pm

    Any good product should be secure and in no need of any additional/upgraded/exended “security”. All those security products that people are encouraged to buy and install without any clue other than that feeling that they are buying the pig in a sack – they are just that: protection racket. Of course the scam is adapted to 21st century society…

    1. Andrew said on February 7, 2016 at 5:10 am

      “should” is the key word though. Most security flaws in software is due to bugs.

      1. Andrew said on February 7, 2016 at 7:46 pm

        hence “most”

      2. juju said on February 7, 2016 at 11:58 am

        backdoors are not “flaws”.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.