“This control does not internally enforce any restrictions on which sites may invoke its methods” This means that once installed the active X control called ScriptHelperApi can allow any web site to run malicious code on your system through this Api. To make a bad thing just a little worse CERT is saying that the ScriptHelper API is also on the pre-approved list of ActiveX controls. This list allows it to bypass a security feature in IE that is designed specifically to prevent scripts from executing without a user’s permission. Oh yeah, it also runs from IE Protected Mode…
Fortunately AVG has already patched this flaw in newer versions of the toolbar (18.17.598 and 188.8.131.524), but it appears that the toolbar does not update automatically. This means that there are still many people that are exposed to this flaw and vulnerable to malicious or poisoned websites. If you are using this toolbar we highly recommend updating it, or simply removing it. As CERT researcher Will Dormann this flaw represents one of the biggest issues with third party software (especially free software). In far too many cases that “free software” you are downloading and installing has components that can adversely affect your system.
Just about every “free” application comes with extra goodies. It is how the developers keep them free. Even companies Like Adobe, Oracle (Java) and Microsoft will shove extras at you during the installation of their applications that might put your computer at risk. It is very important to watch for these during the install process and opt-out if you can. If you can’t, perhaps you might not want to just skip that application.
Read the full alert from CERT
Tell us what you think in our Forum