Implementation issues with AVG Secure Search, a browser toolbar from antivirus vendor AVG Technologies that's supposed to protect users from malicious websites, could have allowed remote attackers to execute malicious code on computers.

The toolbar, also known as AVG SafeGuard, supports Google Chrome, Internet Explorer and Mozilla Firefox running on Windows XP and later, and is often bundled as an optional installation with popular free software programs.

According to researchers from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, versions 18.1.6 and older of AVG Secure Search and AVG SafeGuard install an ActiveX control called ScriptHelperApi in Internet Explorer that exposes sensitive functionality to websites.

"This control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template," said Will Dormann, a vulnerability analyst at CERT/CC, in a security advisory published Monday. "This means that any website can invoke the methods exposed by the ScriptHelper ActiveX control."

Furthermore, upon installation, ScriptHelper is automatically placed on a list of pre-approved ActiveX controls in the system registry, bypassing a security feature first introduced in Internet Explorer 7 that prompts users for confirmation before executing ActiveX controls. It's also excluded from IE's Protected Mode, a security sandbox mechanism, Dormann said.

All these conditions make it possible for an attacker to execute malicious code on the computer of a user who has a vulnerable version of AVG Secure Search installed, if the user opens a specifically crafted HTML Web page, email message or attachment in Internet Explorer. The rogue code would be executed with the privileges of the logged-in user, Dormann said.

AVG fixed the security issue in AVG Secure Search 18.1.7.598 and AVG Safeguard 18.1.7.644 released in May. It's not clear if the toolbar updates itself, so users should make sure that they download and install the latest version if they intend to keep using it.

AVG responded to our request for a comment with the following: "AVG is aware of a report published today, July 8, by the CERT division of Carnegie Mellon University, which is an organization of security professionals that coordinates the response to internet security incidents. Prior to the report’s publication, we responded to CERT’s claim that the AVG Secure Search Toolbar contained a vulnerability that could affect end users.

The vulnerability relates only to Internet Explorer; all other browsers are not affected. From 1 June, AVG released a fix for all affected users.

We would like to thank CERT for their efforts in researching and reporting this vulnerability, and acknowledge their commitment and policy on responsible disclosure.

AVG is the online security company with 187 million active users who provide product feedback and offer mutual support to other customers. AVG welcomes accurate input from independent consulting firms, third party experts and customers as we believe knowledge sharing and collaborative best practice are extremely important in the online security industry.”

According to Dormann, the flaw is the perfect example of how third-party programs bundled with free software -- commonly known as adware, bloatware or foistware among users -- can increase the security risks for Internet users.

"Free software isn't always free," Dormann warned in a blog post in which he described how his attempt to download and install a popular video player through Download.com resulted in four third-party programs being offered during and after the installation process, leaving him with a "nearly unstable" operating system.

"If you must use a service known for bundling adware into their installers, pay careful attention to the installation steps to make sure to opt out of any additional software choices provided," Dormann said. "Even installing applications such as Oracle Java or Adobe Flash may result in unwanted software, such as browser toolbars, if you are not careful."

One of the strategies to stay safe on the Internet involves minimizing the computer's attack surface by restricting the number of installed applications that could be targeted, Dormann said. "More software is not the solution, it's the problem."