I read that as saying the fix for the first issue, which wasn't sufficient. If it was for the second, then they would have submitted it directly first like they did the first, not by uploading to the webstore.
> I read that as saying the fix for the first issue, which wasn't sufficient.
Eh?
The reported issue is fixed. If it wasn't, Ormandy wouldn't have marked the bug as "Fixed", and said "I believe this issue is resolved now". Presumably, AVG has also promised to "...get a professional web audit of those whitelisted domains...".
Ormandy's no hack, dude.
> ...they would have submitted it directly first like they did the first, not by uploading to the webstore.
...how else would AVG get the update into the hands of users? Email a copy to them?
>The reported issue is fixed. If it wasn't, Ormandy wouldn't have marked the bug as "Fixed", and said "I believe this issue is resolved now". Presumably, AVG has also promised to "...get a professional web audit of those whitelisted domains...".
The XSS is not fixed. Loading the link still executes arbitrary javascript. If the audit is agreed but not performed (which doesn't seem evident from the page) then they should wait until it's complete before publicizing this.
>.how else would AVG get the update into the hands of users? Email a copy to them?
I meant as they submitted the previous fix to the bug finder for approval. It sounds to me like the following happened:
1. Guy finds a bug, reports it
2. They build a fix, send it to him
3. He finds a problem with the fix
4. They submit the flawed fix to the webstore (unclear if this happened before or after 3)
5. Guy is happy and publishes bug, including details of wide-open hole, enabling exploitation of any AVG user with the extension.
The reported issue "AVG: "Web TuneUP" extension multiple critical vulnerabilities" is fixed. The issue submitter, investigator, and closer is the same person, Tavis Ormandy.
As reported by Ormandy: "This isssue appears to be resolved in version 4.2.5.169 of the chrome extension, which looks like it's about to be made available for update on the webstore..." and then, a few days later: "I believe this issue is resolved now, but inline installations are disabled while the CWS team investigate possible policy violations.".
> It sounds to me like the following happened...
It's clear to me that that's not how it went down. From the bug report:
"This isssue appears to be resolved in version 4.2.5.169 of the chrome extension, which looks like it's about to be made available for update on the webstore..." (Emphasis mine)
How could Ormandy investigate and report on a new version of the software before it was uploaded to the Webstore, if AVG never sent it to him to evaluate, and he had to download it from the Web store to investigate it?
Pause for a moment and think about that. It's an important question.
After you've achieved enlightenment, remember that Tavis Ormandy is not some hack. Go do a bit of research on him and who he works for.
>The reported issue "AVG: "Web TuneUP" extension multiple critical vulnerabilities" is fixed. The issue submitter, investigator, and closer is the same person, Tavis Ormandy.
If you could stop condescending for a minute and pay attention to what I've said, you'll see the issue is still there. If you aren't convinced, just click http://webtuneup.avg.com/static/dist/app/4.0.5.0/interstitia... : as of the writing of this comment, that produces a javascript alert. Mind explaining how the issue was fixed?
>How could Ormandy investigate and report on a new version of the software before it was uploaded to the Webstore, if AVG never sent it to him to evaluate, and he had to download it from the Web store to investigate it?
It sounded like they did send it to him to evaluate, and it had only fixed the other issues. The XSS on AVG's website isn't something that can be fixed by the extension, it needs the audit, which clearly hasn't completed yet, or the link above wouldn't produce an alert.
Which specific part of the timeline do you differ from me on?
I'm not condescending. I carefully read everything you wrote.
Carefully read Ormandy's report. Notice how the reported issue is:
"This extension adds numerous JavaScript API's to chrome... Anyway, many of the API's are broken, the attached exploit steals cookies from avg.com. It also exposes browsing history and other personal data to the internet, I wouldn't be surprised if it's possible to turn this into arbitrary code execution."
According to Ormandy, that issue is fixed. Or is your claim that he's lying about this and marking it as Resolved-Fixed just to get it off of his plate or something?