Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords (csoonline.com)

Posted by Soulskill on from the of-barn-doors-and-horses dept.

itwbennett writes: Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow "anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction." The password manager in Trend's antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote. Ormandy says it took him 30 seconds to find one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager. This is just the latest in a string of serious vulnerabilities that have been found in antivirus products in the last seven months.

62 comments

  1. Anyone still uses that crud? by Lumpy · · Score: 1

    Honestly who uses Trend Micro? every single company I have been to uses Eset NOD32 or the less IT educated companies use the McAfee corporate garbage.

    --
    Do not look at laser with remaining good eye.
    1. Re:Anyone still uses that crud? by 110010001000 · · Score: 2

      What the hell? Who the hell isn't using Microsoft Security Essentials when they are using Windows? Eset NOD32???

    2. Re:Anyone still uses that crud? by mitcheli · · Score: 1

      You mean we shouldn't store our passwords on the computer using a password storage program? Say it isn't so. Well, at least my sticky note method is much better.

      --
      Select from tblFriends where interesting >= 4;
    3. Re:Anyone still uses that crud? by malditaenvidia · · Score: 1

      It's usually symantec endpoint protection, in my experience.

    4. Re:Anyone still uses that crud? by PRMan · · Score: 1

      Our company just switched TO Trend Micro. I was baffled, but at least it's less heavy than Symantec.

      --
      Peter predicted that you would "deliberately forget" creation 2000 years ago...
    5. Re:Anyone still uses that crud? by Anonymous Coward · · Score: 0

      Probably people who want effective antivirus. Eset, Kasperky and BitDefender are always at the top of most respectable reviews.

    6. Re:Anyone still uses that crud? by Anonymous Coward · · Score: 0

      That's because you're dealing with medium and enterprise level companies and the GP is dealing with small ma-n-pa businesses.

    7. Re:Anyone still uses that crud? by The-Ixian · · Score: 1

      This used to be the case.

      Symantec has surprised me by making a pretty fast centrally managed product. All of the big companies I have worked for are running SEP.

      For years, Symantec was synonymous with slow/fat/bloated but now that is AVG.

      Trend has always been a pretty good performer as well.

      The best AV solution I ever came across both in performance and effectiveness was Sunbelt's Viper... then it was bought by GFI and got bad.

      --
      My eyes reflect the stars and a smile lights up my face.
    8. Re:Anyone still uses that crud? by Anonymous Coward · · Score: 3, Insightful

      Antivirus is for checking off a box to make the legal eagles happy. It isn't for real protection, because most machines get nailed by 0-days or vulnerabilities in browser add-ons.

      Want real protection? Use AdBlock and NoScript, or at least run your browser in a sandbox or VM. Antivirus tends to be ineffective against malvertising, which seems to be the #1 infection vector these days.

    9. Re:Anyone still uses that crud? by Anonymous Coward · · Score: 0

      You think you're joking, but unless you have actual reason to anticipate a physical attack (i.e. someone breaking into your office), writing your complicated password down on a sticky note is about the safest thing you can do to secure it from hackers: The probability of it being subject to electronic credential theft is essentially zero.

      And if you seriously anticipate that someone will break into your office, needless to say good passwords are no longer sufficient.

    10. Re:Anyone still uses that crud? by jnork · · Score: 1

      ...because I only ever use passwords while in my office.

      --
      Cleverly disguised as a responsible adult.
    11. Re:Anyone still uses that crud? by hairyfeet · · Score: 1

      MSE almost always scores right at the bottom of AV tests, in fact several AV tests have used MSE in the past as the lower bound for how an AV should perform. this really is not surprising since it was never designed to even be an AV, it was originally Giant Anti-spy which MSFT just bought and rebranded.

      MSE is fine if all you really need is a simple file scanner, something like ClamWin but which automatically scans files instead of doing it manually, but as the AV for a system that might actually encounter real nasties? Yeah...no. Avast, Avira, or Comodo IS if you want a free AV, all of which score higher than MSE while not slowing your system to a crawl like AVG or McCrapee. I've put MSE to the test quite a few times at the shop and I can honestly say I have yet to see it stop a malware infected page whereas all of the above will kill a page load if it detects nasties.

      Don't get me wrong, MSE has its uses, the system I'm typing this on has MSE, but its a gamer rig where the only browsing is done on a sandboxed browser inside a VM, but how many normal users are gonna go to all that trouble? If the only thing between you and the nasties is your AV I'd strongly suggest you pick something else, MSE just isn't up to the task. Oh and before somebody chimes in with "Then why the hell are you using it?" the answer is VERY simple..this is a gamer rig. The only files this system ever touches from the web is the occasional fix for older games so for scanning those? MSE works fine and doesn't affect my frames per second.

      If any malware magically figures out how to get past my low rights mode browser AND a stripped down Windows 7 with almost no services running AND the VM its running in? Then frankly no AV in the world is gonna stop that magic bug, so I might as well use the lightest thing they make which is MSE. For my system at work as well as my family? Its Comodo and Avast.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    12. Re:Anyone still uses that crud? by Anonymous Coward · · Score: 0

      Neither of those does as much as apk proved hosts do for less more efficiently and addons are useless vs clarityray https://pineight.com/mw/index....

    13. Re:Anyone still uses that crud? by Arterion · · Score: 1

      I always used System Center Endpoint Protection on Windows 7 systems.

      --
      "That which does not kill us makes us stranger." -Trevor Goodchild
  2. Just wow ... by gstoddart · · Score: 4, Insightful

    The stupidity of this is epic.

    So you've got a security product, and users can be idiots and give you all their passwords ... and then using unsuitable technology you're going to reveal them.

    Jesus fucking Christ on a flaming pogo stick ... a password manager written in javascript??? It opens multiple HTTP RPC ports????

    Are Trend that lazy and incompetent and just pushing crap out the door so they can claim to have one??? And we're supposed to trust you to have a security product???

    This is beyond belief. It sounds like they're just phoning it in, and people should be loudly told to stay away from this pile of crap.

    --
    Lost at C:>. Found at C.
    1. Re:Just wow ... by fustakrakich · · Score: 1

      Wait a minute... A password "manager"? On your computer? Attached to the internet??

      Ohhh, Muurrrrder! I mean, who cares if it's written in Emacs, or straight up binary?

      --
      “He’s not deformed, he’s just drunk!”
    2. Re:Just wow ... by phantomfive · · Score: 3, Insightful

      It just shows that many antivirus products are more marketing than product. Which isn't surprising, considering how much they advertise.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Just wow ... by gstoddart · · Score: 1

      Accepting incoming connections makes no sense at all.

      If it bends over and hands out your password to any passerby who stumbles on an open port, then everyone will care.

      Password managers need to handle encryption, not just take incoming API calls, and generally act like security makes a difference.

      Reading TFA indicates this is none of those things.

      You could take some time and competently write this in damned near anything -- even emacs if it's got a decent crypto library. Or you can do what it sounds like Trend did, and incompetently throw something together which kinda looked like a password manager.

      Opening up HTTP ports for RPCs??? No, sorry, you don't get to pretend that's anything but idiotic.

      This screams of some first year programming project, which then created a whole host of terrible security holes which Trend was either unable, or unwilling to spend time understanding.

      --
      Lost at C:>. Found at C.
    4. Re:Just wow ... by Coren22 · · Score: 1

      It even comes free with their antivirus product. I am glad I never used it.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    5. Re:Just wow ... by Anonymous Coward · · Score: 0

      Marketing manager gets wind of openid.
      Decides that if a bunch of half-brained open source people can build it, then some intern that is underutilized can create a profitable copy of it

      Hilarity ensure

    6. Re:Just wow ... by gstoddart · · Score: 2

      Hilarity ensure

      Grammatically incorrect, but eerily semantically accurate.

      --
      Lost at C:>. Found at C.
    7. Re:Just wow ... by Anonymous Coward · · Score: 0

      Keep in mind that Ormandi has a chip on his shoulder as he has failed to produce any useful piece of software worth anything, so he is paid by TAGA (The Arrogant Google Assholes) to piss on other people's work.

      --
      Disclaimer: I work for TAGA (The Arrogant Google Assholes)

    8. Re:Just wow ... by Anonymous Coward · · Score: 0

      Are you sure that the interweb has not used it? The stupid plugin would allow anyone to run anything a web page asked it to run.

    9. Re:Just wow ... by Billly+Gates · · Score: 1

      Trendmicro always had bad ratings with av-total and other security firms in terms of crippling performance. Good news is really bad ones like Norton have improved in this area. My figure is if the product slows down performance then it has to be poorly coded. My guess is right after hearing this

      --
      http://saveie6.com/
    10. Re:Just wow ... by Coren22 · · Score: 1

      It is an optional installation. I said no to the install when it asked if I wanted the free product.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    11. Re:Just wow ... by s_p_oneil · · Score: 3, Insightful

      It's possible the developer was clueless, but it's also possible something more like this happened:

      1) Developer writes rapid prototype in JavaScript intending to convert it to C.
      2) PHB sees it and says "Wow, that's great! No time to perfect it! We gotta get this feature out the door now!"
      3) Developer says "...but..."
      4) PHB says: "No buts, we'll fix it in the next release." (unless something else important comes up, which has a statistical probability of nearly 100%)

      I've seen both happen plenty of times in software development.

    12. Re:Just wow ... by Anonymous Coward · · Score: 0

      Pretty much everyone knows that AV is useless as an active security threat mitigation. It still has it's place, but only to catch old known threats so virii from 10 years ago don't continue to chew up systems. (Forcing the continuous arms race we see to day)

      Commercial security, as you well know, is mostly theater and companies exist on scaring clueless users or selling products to executives during golf games.

      You also need it to check that box during your audit, ensuring a constant money flow to the above hucksters.

      The only thing that will protect you is always the same. It's always been the same and will always be the same in the future.

      Good practices. Good, through, verified, proven.. Expensive practice. Separation of privileges and services. Regular auditing. Patching. Testing the patching. Auidting the patching. Backups. Checking backups. Disaster preparedness. Disaster recovery drills. Reduction of attack surface. Penetration testing.

      Boring, basic, manual, man-hour intensive stuff that no product or packaged service can provide.

    13. Re:Just wow ... by phantomfive · · Score: 1

      I guess that's why you shouldn't make prototypes......you'll probably never get a chance to make the "real thing"

      --
      "First they came for the slanderers and i said nothing."
    14. Re:Just wow ... by Anonymous Coward · · Score: 0

      ... a password manager written in javascript???

      Didn't you realize javascript is the one true language? A large swath of programmers out there seem utterly driven to make sure that everything is written in javascript... even operating systems.

    15. Re: Just wow ... by Anonymous Coward · · Score: 0

      Funny, I Thought it was pretty cool, then 1 minute in I got bombarded with window::on_error() pop ups. :/

    16. Re:Just wow ... by tibit · · Score: 1

      If you want a password manager written in Javascript, there are ways of doing it properly. Clipperz.is is a good example. First and foremost, it is open source. Secondly, it lets you export a read-only copy of the application as a single, self-contained html file that you can run locally and export from again. Or you can export cleartext json+html if you wish to transfer the data elsewhere. Furthermore, everything is encrypted by default and no cleartext leaves your browser. Cleartext is extracted on as-needed basis, so even if you did a RAM dump from a running instance in a browser, all you'd get is the currently open entry and the some of the session keys that would require further reverse-engineering to be of any use. And they have had a third-party security audit done that identified a few problems that were promptly fixed.

      You can run it on your own backend, or on Clipperz's.

      But perhaps I should stay quiet lest someone like Trend Micro buys them out and fucks it for everyone.

      --
      A successful API design takes a mixture of software design and pedagogy.
  3. Dang it! by Anonymous Coward · · Score: 1

    The NSA probably helped add this "flaw" and promised to pay the TrendMicro CEO $5M per year hush money. Now that it is fixed, he will have to give up all that easy money.

    1. Re:Dang it! by chispito · · Score: 1

      The NSA probably helped add this "flaw" and promised to pay the TrendMicro CEO $5M per year hush money. Now that it is fixed, he will have to give up all that easy money.

      Humorous, but the NSA aren't stupid and wouldn't pay for such low hanging fruit.

      --
      The Daddy casts sleep on the Baby. The Baby resists!
  4. User-Agent: Secure Browser by Anonymous Coward · · Score: 1

    Enough said

  5. You used what to write what? by xxxJonBoyxxx · · Score: 4, Insightful

    >> The password manager in Trend's antivirus product is written in JavaScript

    You're letting your web app developers write security software now? How is Trend still even in business?

    1. Re:You used what to write what? by gstoddart · · Score: 2

      No, they're letting their web developers pretend to write security software, when they clearly have no idea of what the hell they're doing.

      This sounds like something you get summer students or a random web-site to code for you.

      I can't decide if this is gross incompetence, or outright fraud.

      --
      Lost at C:>. Found at C.
    2. Re:You used what to write what? by phantomfive · · Score: 5, Insightful

      Trend is in business because Antivirus is more about marketing than about actually solving any problems.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:You used what to write what? by ThatsNotPudding · · Score: 1

      You're letting your web app developers write security software now? How is Trend still even in business?

      Underwritten by the NSA. In light the Juniper scandal, I mean this seriously.

    4. Re:You used what to write what? by geekmux · · Score: 1

      Antivirus software is a business because Antivirus is more about marketing than about actually solving any problems.

      There we go, FTFY.

      Antivirus is nothing more than yet another insurance policy.

      Corporations run it so they can claim some level of valid defense if they get infected, but other than bullshit legal wranglings, it pretty much does fuck-all to actually protect the enterprise.

    5. Re:You used what to write what? by Billly+Gates · · Score: 1

      I disagree.

      Modern AV combined with ad blocking software makes a computer somewhat usable for the internet. As someone who supports pcs modern AV software monitors processes and inspects services to make sure no suspicious activity happens.

      --
      http://saveie6.com/
    6. Re:You used what to write what? by phantomfive · · Score: 1

      modern AV software monitors processes and inspects services to make sure no suspicious activity happens.

      If you're depending on that to keep computers safe, you're going to be sorely disappointed.
      All a virus writer has to do is test his malware against the major anti-virus software packages, to make sure it's not detected. Simple.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:You used what to write what? by whoever57 · · Score: 1

      Antivirus is nothing more than yet another insurance policy.

      No. Insurance pays out if you suffer a loss. AntiVirus? Go pound ... Antivirus is a business because it allows companies plausible deniability when they get compromised (in MBA speak "best practices").

      --
      The real "Libtards" are the Libertarians!
    8. Re:You used what to write what? by geekmux · · Score: 1

      Antivirus is nothing more than yet another insurance policy.

      No. Insurance pays out if you suffer a loss. AntiVirus? Go pound ... Antivirus is a business because it allows companies plausible deniability when they get compromised (in MBA speak "best practices").

      Ironically, this exact reason was the "insurance" I was referring to. It does "pay out" in this sense because it grants companies this legal protection. Without this defense, risk and costs would be much higher.

  6. As I always say. . . by smooth+wombat · · Score: 2

    the more software you have installed the slower and more vulnerable your system becomes.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  7. The more you read, more stupid. Consult security by raymorris · · Score: 1

    The you understand about their code in this case, the more stupid you see. Most flaws I can understand, someone overlooked something. These people at Trend Micro were beyond incompetent, utterly clueless.

    Security professionals do exist who have been securing (and breaking) systems since the early days of the web. If you're a security company, hire a few of those people. Not only will they help you write software that doesn't stupidly open all of your customers to remote code execution, but by understanding how to write software that doesn't break when someone is trying to break it, we can also help you how to write software that doesn't break accidentally - reliable software.

    If you're not a security company, but write web-enabled software, at least get someone qualified to spend an hour or two with you at key points in your design and implementation process. Suppose you have me come by for an hour meeting to go over the high-level architecture of your project, a meeting or two to address the lynch pin function(s) (encryption, authentication), and I spend an hour or two looking over the final product. Suppose you got someone who charges $200 /hour ($300 in California). You only need them for about 4 hours to get 80% of the benefit, so that's about $800 to make your software much more reliable while avoiding the $100 million fuck ups.

  8. Password managers by Anonymous Coward · · Score: 0

    I know this is trend micro ,but it could have happened to anyone. Many years ago a few users scoffed when I said I didn't trust password managers. And here this is.

    But as always, this is only the known vulnerability. How many are not widely known but being used?

  9. Re:The more you read, more stupid. Consult securit by phantomfive · · Score: 1

    Trend Micro already outsourced their QA to Taiwan, so I don't expect they're looking to increase payroll much.

    --
    "First they came for the slanderers and i said nothing."
  10. AppScript for apping APPS, not LUDDITE passwords! by Anonymous Coward · · Score: 0

    This happened because the LUDDITES at Trend Micro used an appy app language like AppScript to manage LUDDITE passwords instead of apping apps!

    Apps!

  11. Obligatory: All Your Password are Belong to Us by wisnoskij · · Score: 1

    http://i.imgur.com/1nyVayo.jpg

    --
    Troll is not a replacement for I disagree.
    1. Re:Obligatory: All Your Password are Belong to Us by Anonymous Coward · · Score: 0

      I, for one, welcome our new imgur overloads!

  12. My employer is a customer of their enterprise AV by Anonymous Coward · · Score: 0

    Their support is all right and their product is probably middle front of the pack. But what I cannot fathom is their policy on submitting malware samples. You have to have a customer key which is not even obviously accessible from the management console.

    I spent 10 minutes trying to explain to the technician that if you're running an antivirus company, you want to use a big net. You want to make it as quick and easy as possible for your customers to submit samples.

    Frankly, antivirus as a product is a lose-lose. It doesn't catch the malware that's really going to screw you over, the 0-days. But there is enough known crap floating around that the old stuff can still bite every now and then if it gets through. So you have to have it (definitely if you're audited) but it doesn't protect you from the biggest threats.

  13. Wait, what???? by QuietLagoon · · Score: 1
    "...The password manager in Trend's antivirus product is written in JavaScript ..."

    .
    Un - friggin' - believable.

  14. Re:The more you read, more stupid. Consult securit by Anonymous Coward · · Score: 0

    Trend Micro's business model has for some years been to acquire companies and technologies in the security space from the US and Canada, then move the ongoing development and maintenance to Taiwan and China and support to the Philippines. So if you're working for a company that gets bought by Trend Micro, take the money and get out, because your job function will be outsourced to someone less expensive, probably a half dozen someones who are less expensive.

  15. Re:AppScript for apping APPS, not LUDDITE password by zlives · · Score: 2

    even this is relevant... how sad

  16. we're using something called 'APK' over here by SethJohnson · · Score: 4, Funny

    Two weeks ago, my boss had us all download and install a few files described as 'APK'. She assured me it would protect our desktop machines from any and all potential malware threats. So far, I can't say she's wrong.

    The weird thing is that when I try to search for reviews of this product, everything that turns up in Bing seems to be written by people with mental disorders. I guess it's probably anti-astroturfing by commercial competitors.

    --
    $5 / month hosted VPS on linux = awesome!
    1. Re:we're using something called 'APK' over here by Anonymous Coward · · Score: 0

      Where can I download these few files you mention to try them and what does anti-astroturfing by commercial competitors mean?

    2. Re:we're using something called 'APK' over here by Anonymous Coward · · Score: 0

      He probably means APK'S Hosts Engine. Apk's attacking antivirus programs at the Register now but makes sense http://forums.theregister.co.u... so it appears apk is posting at the register now since he left us here on slashdot.

    3. Re: we're using something called 'APK' over here by Anonymous Coward · · Score: 0

      Thank goodness he's ok! I was wondering where his walls of text had gone.... maybe it's just me, but I was getting kinda fond of... ok, over it.

    4. Re: we're using something called 'APK' over here by Anonymous Coward · · Score: 0

      Tepples' site on proving apk wrong saying he left slashdot after using it for testing objections against using hosts files. The same occurred there also. He did it to help strengthen his points for hosts use over other methods and to spot things he may have missed. Imho, I must fairly admit I agree no one ever validly proved his points on hosts wrong against addons or even dns. It's a good read and he makes strong points as he always did here. Apk shut down addon users from his first line out on how clarityray detects and blocks them as well as their inefficiency against hosts and lack of abilities against hosts also. From what I read on the register he has a valid point on hosts against antivirus use as well.

  17. Panda is all you need duh by Anonymous Coward · · Score: 0

    Security panda software places a dancing panda on your screen to let you see him defending you from virus. AS long as you see panda dancing, you are not affected by virus. Get Security Panda right away!

  18. Re:AppScript for apping APPS, not LUDDITE password by amicusNYCL · · Score: 1

    we know it's you, sexconker

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  19. Our diversity and multicultural workforce are key by Teriblows · · Score: 1

    So much for that... https://archive.is/jdOHs