Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords (csoonline.com)

Posted by Soulskill on from the of-barn-doors-and-horses dept.

itwbennett writes: Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow "anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction." The password manager in Trend's antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote. Ormandy says it took him 30 seconds to find one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager. This is just the latest in a string of serious vulnerabilities that have been found in antivirus products in the last seven months.

6 of 62 comments (clear)

  1. Just wow ... by gstoddart · · Score: 4, Insightful

    The stupidity of this is epic.

    So you've got a security product, and users can be idiots and give you all their passwords ... and then using unsuitable technology you're going to reveal them.

    Jesus fucking Christ on a flaming pogo stick ... a password manager written in javascript??? It opens multiple HTTP RPC ports????

    Are Trend that lazy and incompetent and just pushing crap out the door so they can claim to have one??? And we're supposed to trust you to have a security product???

    This is beyond belief. It sounds like they're just phoning it in, and people should be loudly told to stay away from this pile of crap.

    --
    Lost at C:>. Found at C.
    1. Re:Just wow ... by phantomfive · · Score: 3, Insightful

      It just shows that many antivirus products are more marketing than product. Which isn't surprising, considering how much they advertise.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Just wow ... by s_p_oneil · · Score: 3, Insightful

      It's possible the developer was clueless, but it's also possible something more like this happened:

      1) Developer writes rapid prototype in JavaScript intending to convert it to C.
      2) PHB sees it and says "Wow, that's great! No time to perfect it! We gotta get this feature out the door now!"
      3) Developer says "...but..."
      4) PHB says: "No buts, we'll fix it in the next release." (unless something else important comes up, which has a statistical probability of nearly 100%)

      I've seen both happen plenty of times in software development.

  2. You used what to write what? by xxxJonBoyxxx · · Score: 4, Insightful

    >> The password manager in Trend's antivirus product is written in JavaScript

    You're letting your web app developers write security software now? How is Trend still even in business?

    1. Re:You used what to write what? by phantomfive · · Score: 5, Insightful

      Trend is in business because Antivirus is more about marketing than about actually solving any problems.

      --
      "First they came for the slanderers and i said nothing."
  3. Re:Anyone still uses that crud? by Anonymous Coward · · Score: 3, Insightful

    Antivirus is for checking off a box to make the legal eagles happy. It isn't for real protection, because most machines get nailed by 0-days or vulnerabilities in browser add-ons.

    Want real protection? Use AdBlock and NoScript, or at least run your browser in a sandbox or VM. Antivirus tends to be ineffective against malvertising, which seems to be the #1 infection vector these days.