Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Google Microsoft IT

Microsoft Defender ATP is Detecting Yesterday's Chrome Update as a Backdoor (zdnet.com) 56

Microsoft Defender Advanced Threat Protection (ATP), the commercial version of the ubiquitous Defender antivirus and Microsoft's top enterprise security solution, is currently having a bad day and labeling yesterday's Google Chrome browser update as a backdoor trojan. From a report: The detections are for Google Chrome 88.0.4324.146, the latest version of the Chrome browser, which Google released last night. As per the screenshot (embedded in the linked story), but also based on reports shared on Twitter by other dismayed system administrators, Defender ATP is currently detecting multiple files part of the Chrome v88.0.4324.146 update package as containing a generic backdoor trojan named "PHP/Funvalget.A." The alerts have caused quite a stir in enterprise environments in light of recent multiple software supply chain attacks that have hit companies across the world over the past few months. System administrators are currently awaiting a formal statement from Microsoft to confirm that the detection is a "false possitive" and not an actual threat.
This discussion has been archived. No new comments can be posted.

Microsoft Defender ATP is Detecting Yesterday's Chrome Update as a Backdoor

Comments Filter:
  • by BAReFO0t ( 6240524 ) on Wednesday February 03, 2021 @11:49AM (#61023610)

    Why didn't it detect earlier versions already?

    BTW: Can it detect its own OS too?

  • Oh (Score:5, Funny)

    by backslashdot ( 95548 ) on Wednesday February 03, 2021 @11:49AM (#61023612)

    Microsoft accidentally released software that works correctly? I'm sure they'll fix that soon.

  • My router’s blinkenlights constantly remind me of how much telemetry and software updates happen automatically. And I have woken up to rebooted Windows on a regular occurrence. There was almost a rail accident in China because of flash auto updating to disable itself. One day a false positive or rogue update is going to cause an incident that kills.
    • Using any OS that auto-updates for control systems is user incompetence.

      It's not the fault of a desktop operating system designed as an office productivity tool if someone dies from its gross misuse.

    • by bn-7bc ( 909819 )
      Well that is the rail operators fault for running sw depending on flash, that they knew years ago was on the about to be killed list. And no I do not say it just because “ it happened in China”, I wold have said the same think if it happened anywhere else
    • Re: (Score:3, Informative)

      by Anonymous Coward

      Those blinkenlights also are things like ARP traffic and other things that might not have anything to do with telemetry.

      But you know, hyperventilate over your "blinkenlights"

      • Nobody ever built a "telemetry watcher", to see if Chrome is reporting stuff to Google, or Windows to Microsoft?

        Shouldn't that be open to the user? As far as I know, my keystrokes and screenshots are not going anywhere. Chrome url I suppose, but that's not hidden.

        Incognito in chrome going to google or ms, now that's a problem, though the ISP would know.

    • Most of that is probably incoming traffic. I run ssh on a non standard port and still get thousands of login attempts daily. Finally I switched off passwords just for peace of mind and allow only keys. One specific address from china had done 50,000 connections even after disabling passwords.

  • Itâ(TM)s not a bug itâ(TM)s a feature!
  • Is this how Microsoft is "slamming" Google? (see previously posted article)

    • by dutt ( 738848 )

      My thought as well...

      But most probably a false alarm.

      • by darkain ( 749283 )

        Well, yeah. Totally agreed. The issue is a false positive, which Microsoft's Defender is highly guilty of as of late. It has been flagging a bunch of F/OSS hosted on GitHub (which MS owns, so no excuse why they couldn't probe that site for source code vs binary differences), as well as flagging my own code right after I compile it. And for my own, we're talking super simple 10 line or less scripts that don't include any libraries. Their scanning system is just bonkers in the past year or two.

        • by Whibla ( 210729 )

          As the number of signatures goes up the risk of hash collisions increases(*). Can't be arsed to do the math right now, but I'm fairly certain the rate of increase isn't just linear either. i.e. expect more false positives, and at an increased rate as time goes on.

          It was a pain in the arse when Defender started flagging Dos Box as malicious a couple of years ago, but I suspect that's just the tip of the iceberg.

          (*) I could be talking out of my arse, but if so pretend this is merely a simplification / analogy

  • by cellocgw ( 617879 ) <cellocgw@gmaEINS ... minus physicist> on Wednesday February 03, 2021 @12:28PM (#61023770) Journal

    WARNING: browser is not Bing. Delete immediately

  • by smooth wombat ( 796938 ) on Wednesday February 03, 2021 @12:40PM (#61023848) Journal

    Chrome is spyware. It has numerous backdoors which siphon your personal information. It does even try to hide this fact.

    Of course it would be flagged as a trojan. Why is this even news?

    • by antdude ( 79039 )

      You know what else pisses me off? Some web sites don't work well in non-Chrome web browsers like Office 365's Outlook. :(

      • by theCoder ( 23772 )

        My employer (foolishly IMHO) switched to Office 365 with mail hosted at Microsoft last summer. I have a Linux client at work, so the best way to access my email is through the website (it says IMAP is enabled, but I've never figured out how to access it). And I've found it works just fine in Firefox. It actually works remarkably well for what is essentially a web page. And with the use of some userContent.css rules, I was able to cut out several annoying UI elements, like the breaks in the message index

  • I also saw it flag the "official" uTorrent client the other day.

    And it was reporting a rather nasty rootkit, not anything related to adware (the free Windows clients display ads).

    Now I'm wondering how bad that update might be. Work systems don't use Defender fortunately, but most people I know are using it instead of a paid product.

    • The work system I use does use Defender - the place has gone full O365 on us. Defender has coughed up false-positive problems in past releases, too, so I wouldn't be surprised if there's an update tonight that patches it again. OTOH, Chrome has been uninstalled, because ChrEdge works well enough and it's part of the MS package the company has bought into. Funny though, until December, we still needed IE to start the timesheet application (now it works, with minor glitches, with ChrEdge).

      Back in mainframe da

    • Anything that allows you to remotely connect to it from another PC to control it is suspect. Remember when the CIA malware got leaked, and there was an exploit for VLC?
    • I wouldn't be surprised if was right, uTorrent is pretty shady. Why not use an open source client like qBittorrent or Deluge?

  • Assumptions? (Score:4, Insightful)

    by Lab Rat Jason ( 2495638 ) on Wednesday February 03, 2021 @01:04PM (#61023956)

    It seems to me there is an assumption here that it is impossible for Google to have a supply chain attack, and therefore Microsoft MUST be wrong... while I think that is plausible, and even likely, to assert it as fact means you should probably re-assess your decision making paradigm.

    • I devoutly hope Chrome has no PHP code.

    • by _xeno_ ( 155264 )

      I mean yes, but also presumably based on the name the attack is a PHP-based attack, and Chrome is not PHP and does not come with PHP. Unfortunately Microsoft doesn't provide any additional information about WTF "PHP/Funvalget.A" is, and searching for it finds a ton of articles about this story. Adding "-chrome" did not help as it basically limited it to the useless Microsoft Defender documentation.

      However, in favor of this being something real, the issue is apparently with a localization file, and if Google

  • by sphealey ( 2855 ) on Wednesday February 03, 2021 @01:14PM (#61024000)

    Reminds me of a lesson I learned back in college days: I saw the laboratory building manager going past and asked him why the fire alarm was going off; he responded "I think the building is on fire.".

    • Reminds me of a lesson I learned back in college days: I saw the laboratory building manager going past and asked him why the fire alarm was going off; he responded "I think the building is on fire.".

      Based on the false positive rate of fire alarms, I'd be confident the building wasn't on fire. Like Car Alarms, Fire Alarms have become almost useless for warning of actual fire.

  • A browser made by the #1 search engine - what could go wrong?
  • Proudly defending Microsoft's market position since 2005.

  • false positives are part of life, however this isn't an unusual config and hence a miserable failure on googles part, surely they do some basic testing before release and would have known about this prior to sending the update out?
    • You're probably the first post that actually puts some responsibility on Google. As I think about, you're absolutely right.

      Yes, this could actually be malware in Google's product.
      Yes, this could be Microsoft ATP incorrectly detecting chrome as malware.

      Yet, Google also has a responsibility to do release based testing. Every product company I've dealt with has done release based testing. You'll never get full coverage on every OS and version out there. Yet, you always try and hit the popular ones. Microsoft i

      • by sjames ( 1099 )

        This! Ir reads an awful lot like that dreaded phrase was heard recently at Google: "OMG it compiled! SHIP IT!!!"

  • Let's see a sort of top 10:
    • 01> MS 'integrates' IE into the OS marginalizing competitors
    • 02> Firefox and then Chrome remain competitors
    • 03> Trying to regain the advantage MS introduces Edge
    • 04> Firefox and Chrome remain competitors
    • 05> MS realizes Edge sucks (amazing!)
    • 06> MS rebuilds Edge based on Chrome
    • 07> MS forces Chrome based Edge onto everything
    • 08> Chrome remains competitive
    • 09> MS Defender declares Chrome a virus
    • ...
    • Profit!

After all is said and done, a hell of a lot more is said than done.

Working...