Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords (csoonline.com) 62

itwbennett writes: Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow "anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction." The password manager in Trend's antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote. Ormandy says it took him 30 seconds to find one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager. This is just the latest in a string of serious vulnerabilities that have been found in antivirus products in the last seven months.
This discussion has been archived. No new comments can be posted.

Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords

Comments Filter:
  • Honestly who uses Trend Micro? every single company I have been to uses Eset NOD32 or the less IT educated companies use the McAfee corporate garbage.

    • What the hell? Who the hell isn't using Microsoft Security Essentials when they are using Windows? Eset NOD32???
      • MSE almost always scores right at the bottom of AV tests, in fact several AV tests have used MSE in the past as the lower bound for how an AV should perform. this really is not surprising since it was never designed to even be an AV, it was originally Giant Anti-spy which MSFT just bought and rebranded.

        MSE is fine if all you really need is a simple file scanner, something like ClamWin but which automatically scans files instead of doing it manually, but as the AV for a system that might actually encounter r

      • I always used System Center Endpoint Protection on Windows 7 systems.

    • You mean we shouldn't store our passwords on the computer using a password storage program? Say it isn't so. Well, at least my sticky note method is much better.
    • It's usually symantec endpoint protection, in my experience.
    • by PRMan ( 959735 )
      Our company just switched TO Trend Micro. I was baffled, but at least it's less heavy than Symantec.
      • This used to be the case.

        Symantec has surprised me by making a pretty fast centrally managed product. All of the big companies I have worked for are running SEP.

        For years, Symantec was synonymous with slow/fat/bloated but now that is AVG.

        Trend has always been a pretty good performer as well.

        The best AV solution I ever came across both in performance and effectiveness was Sunbelt's Viper... then it was bought by GFI and got bad.

      • by SethJohnson ( 112166 ) on Tuesday January 12, 2016 @05:09PM (#51289767) Homepage Journal
        Two weeks ago, my boss had us all download and install a few files described as 'APK'. She assured me it would protect our desktop machines from any and all potential malware threats. So far, I can't say she's wrong.

        The weird thing is that when I try to search for reviews of this product, everything that turns up in Bing seems to be written by people with mental disorders. I guess it's probably anti-astroturfing by commercial competitors.
  • Just wow ... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Tuesday January 12, 2016 @02:33PM (#51288557) Homepage

    The stupidity of this is epic.

    So you've got a security product, and users can be idiots and give you all their passwords ... and then using unsuitable technology you're going to reveal them.

    Jesus fucking Christ on a flaming pogo stick ... a password manager written in javascript??? It opens multiple HTTP RPC ports????

    Are Trend that lazy and incompetent and just pushing crap out the door so they can claim to have one??? And we're supposed to trust you to have a security product???

    This is beyond belief. It sounds like they're just phoning it in, and people should be loudly told to stay away from this pile of crap.

    • Wait a minute... A password "manager"? On your computer? Attached to the internet??

      Ohhh, Muurrrrder! I mean, who cares if it's written in Emacs, or straight up binary?

      • Accepting incoming connections makes no sense at all.

        If it bends over and hands out your password to any passerby who stumbles on an open port, then everyone will care.

        Password managers need to handle encryption, not just take incoming API calls, and generally act like security makes a difference.

        Reading TFA indicates this is none of those things.

        You could take some time and competently write this in damned near anything -- even emacs if it's got a decent crypto library. Or you can do what it sounds like T

    • Re:Just wow ... (Score:4, Insightful)

      by phantomfive ( 622387 ) on Tuesday January 12, 2016 @02:47PM (#51288663) Journal
      It just shows that many antivirus products are more marketing than product. Which isn't surprising, considering how much they advertise.
    • The you understand about their code in this case, the more stupid you see. Most flaws I can understand, someone overlooked something. These people at Trend Micro were beyond incompetent, utterly clueless.

      Security professionals do exist who have been securing (and breaking) systems since the early days of the web. If you're a security company, hire a few of those people. Not only will they help you write software that doesn't stupidly open all of your customers to remote code execution, but by understanding

      • Trend Micro already outsourced their QA to Taiwan, so I don't expect they're looking to increase payroll much.
    • It even comes free with their antivirus product. I am glad I never used it.

    • Trendmicro always had bad ratings with av-total and other security firms in terms of crippling performance. Good news is really bad ones like Norton have improved in this area. My figure is if the product slows down performance then it has to be poorly coded. My guess is right after hearing this

    • Re:Just wow ... (Score:4, Insightful)

      by s_p_oneil ( 795792 ) on Tuesday January 12, 2016 @05:43PM (#51289975) Homepage

      It's possible the developer was clueless, but it's also possible something more like this happened:

      1) Developer writes rapid prototype in JavaScript intending to convert it to C.
      2) PHB sees it and says "Wow, that's great! No time to perfect it! We gotta get this feature out the door now!"
      3) Developer says "...but..."
      4) PHB says: "No buts, we'll fix it in the next release." (unless something else important comes up, which has a statistical probability of nearly 100%)

      I've seen both happen plenty of times in software development.

      • I guess that's why you shouldn't make prototypes......you'll probably never get a chance to make the "real thing"
    • by tibit ( 1762298 )

      If you want a password manager written in Javascript, there are ways of doing it properly. Clipperz.is [clipperz.is] is a good example. First and foremost, it is open source. Secondly, it lets you export a read-only copy of the application as a single, self-contained html file that you can run locally and export from again. Or you can export cleartext json+html if you wish to transfer the data elsewhere. Furthermore, everything is encrypted by default and no cleartext leaves your browser. Cleartext is extracted on as-ne

  • by Anonymous Coward

    The NSA probably helped add this "flaw" and promised to pay the TrendMicro CEO $5M per year hush money. Now that it is fixed, he will have to give up all that easy money.

    • The NSA probably helped add this "flaw" and promised to pay the TrendMicro CEO $5M per year hush money. Now that it is fixed, he will have to give up all that easy money.

      Humorous, but the NSA aren't stupid and wouldn't pay for such low hanging fruit.

  • by Anonymous Coward

    Enough said

  • by xxxJonBoyxxx ( 565205 ) on Tuesday January 12, 2016 @02:38PM (#51288597)

    >> The password manager in Trend's antivirus product is written in JavaScript

    You're letting your web app developers write security software now? How is Trend still even in business?

    • No, they're letting their web developers pretend to write security software, when they clearly have no idea of what the hell they're doing.

      This sounds like something you get summer students or a random web-site to code for you.

      I can't decide if this is gross incompetence, or outright fraud.

    • by phantomfive ( 622387 ) on Tuesday January 12, 2016 @02:51PM (#51288691) Journal
      Trend is in business because Antivirus is more about marketing than about actually solving any problems.
      • Antivirus software is a business because Antivirus is more about marketing than about actually solving any problems.

        There we go, FTFY.

        Antivirus is nothing more than yet another insurance policy.

        Corporations run it so they can claim some level of valid defense if they get infected, but other than bullshit legal wranglings, it pretty much does fuck-all to actually protect the enterprise.

        • Antivirus is nothing more than yet another insurance policy.

          No. Insurance pays out if you suffer a loss. AntiVirus? Go pound ... Antivirus is a business because it allows companies plausible deniability when they get compromised (in MBA speak "best practices").

          • Antivirus is nothing more than yet another insurance policy.

            No. Insurance pays out if you suffer a loss. AntiVirus? Go pound ... Antivirus is a business because it allows companies plausible deniability when they get compromised (in MBA speak "best practices").

            Ironically, this exact reason was the "insurance" I was referring to. It does "pay out" in this sense because it grants companies this legal protection. Without this defense, risk and costs would be much higher.

      • I disagree.

        Modern AV combined with ad blocking software makes a computer somewhat usable for the internet. As someone who supports pcs modern AV software monitors processes and inspects services to make sure no suspicious activity happens.

        • modern AV software monitors processes and inspects services to make sure no suspicious activity happens.

          If you're depending on that to keep computers safe, you're going to be sorely disappointed.
          All a virus writer has to do is test his malware against the major anti-virus software packages, to make sure it's not detected. Simple.

    • You're letting your web app developers write security software now? How is Trend still even in business?

      Underwritten by the NSA. In light the Juniper scandal, I mean this seriously.

  • by smooth wombat ( 796938 ) on Tuesday January 12, 2016 @02:39PM (#51288607) Journal

    the more software you have installed the slower and more vulnerable your system becomes.

  • "...The password manager in Trend's antivirus product is written in JavaScript ..."

    .
    Un - friggin' - believable.

It is impossible to enjoy idling thoroughly unless one has plenty of work to do. -- Jerome Klapka Jerome

Working...