The rogue code would be executed with the privileges of the logged-in user, Dormann said.ĪVG fixed the security issue in AVG Secure Search 18.1.7.598 and AVG Safeguard 18.1.7.644 released in May. It's also excluded from IE's Protected Mode, a security sandbox mechanism, Dormann said.Īll these conditions make it possible for an attacker to execute malicious code on the computer of a user who has a vulnerable version of AVG Secure Search installed, if the user opens a specifically crafted HTML Web page, email message or attachment in Internet Explorer. 'This means that any website can invoke the methods exposed by the ScriptHelper ActiveX control.'įurthermore, upon installation, ScriptHelper is automatically placed on a list of pre-approved ActiveX controls in the system registry, bypassing a security feature first introduced in Internet Explorer 7 that prompts users for confirmation before executing ActiveX controls. 'This control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template,' said Will Dormann, a vulnerability analyst at CERT/CC, in a security advisory published Monday. According to researchers from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, versions 18.1.6 and older of AVG Secure Search and AVG SafeGuard install an ActiveX control called ScriptHelperApi in Internet Explorer that exposes sensitive functionality to websites.