"This control does not internally enforce any restrictions on which sites may invoke its methods, such as by using the SiteLock template," said Will Dormann, a vulnerability analyst at CERT/CC, in a security advisory published Monday.
"This means that any website can invoke the methods exposed by the ScriptHelper ActiveX control."
Furthermore, upon installation, ScriptHelper is automatically placed on a list of pre-approved ActiveX controls in the system registry, bypassing a security feature first introduced in Internet Explorer 7 that prompts users for confirmation before executing ActiveX controls.
It's also excluded from IE's Protected Mode, a security sandbox mechanism, Dormann
All these conditions make it possible for an attacker to execute malicious code on the computer of a user who has a vulnerable version of AVG Secure Search installed, if the user opens a specifically crafted HTML Web page, email message or attachment in Internet Explorer.
The rogue code would be executed with the privileges of the logged-in user, Dormann
According to Dormann
, this AVG Secure Search flaw is the perfect example of how third-party programs bundled with free software -- commonly known as adware, bloatware or foistware among users -- can increase the security risks for Internet users.