Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords (csoonline.com)

← Back to Stories (view on slashdot.org)

Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords (csoonline.com)

Posted by Soulskill on Tuesday January 12, 2016 @06:26AM from the of-barn-doors-and-horses dept.

itwbennett writes: Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow "anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction." The password manager in Trend's antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote. Ormandy says it took him 30 seconds to find one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager. This is just the latest in a string of serious vulnerabilities that have been found in antivirus products in the last seven months.

42 of 62 comments (clear)

Min score:

Reason:

Sort:

Anyone still uses that crud? by Lumpy · 2016-01-12 06:31 · Score: 1

Honestly who uses Trend Micro? every single company I have been to uses Eset NOD32 or the less IT educated companies use the McAfee corporate garbage.

--
Do not look at laser with remaining good eye.
1. Re:Anyone still uses that crud? by 110010001000 · 2016-01-12 06:43 · Score: 2
  
  What the hell? Who the hell isn't using Microsoft Security Essentials when they are using Windows? Eset NOD32???
2. Re:Anyone still uses that crud? by mitcheli · 2016-01-12 06:57 · Score: 1
  
  You mean we shouldn't store our passwords on the computer using a password storage program? Say it isn't so. Well, at least my sticky note method is much better.
  
  --
  Select from tblFriends where interesting >= 4;
3. Re:Anyone still uses that crud? by malditaenvidia · 2016-01-12 07:15 · Score: 1
  
  It's usually symantec endpoint protection, in my experience.
4. Re:Anyone still uses that crud? by PRMan · 2016-01-12 07:33 · Score: 1
  
  Our company just switched TO Trend Micro. I was baffled, but at least it's less heavy than Symantec.
  
  --
  Peter predicted that you would "deliberately forget" creation 2000 years ago...
5. Re:Anyone still uses that crud? by The-Ixian · 2016-01-12 08:08 · Score: 1
  
  This used to be the case.
  Symantec has surprised me by making a pretty fast centrally managed product. All of the big companies I have worked for are running SEP.
  For years, Symantec was synonymous with slow/fat/bloated but now that is AVG.
  Trend has always been a pretty good performer as well.
  The best AV solution I ever came across both in performance and effectiveness was Sunbelt's Viper... then it was bought by GFI and got bad.
  
  --
  My eyes reflect the stars and a smile lights up my face.
6. Re:Anyone still uses that crud? by Anonymous Coward · 2016-01-12 08:57 · Score: 3, Insightful
  
  Antivirus is for checking off a box to make the legal eagles happy. It isn't for real protection, because most machines get nailed by 0-days or vulnerabilities in browser add-ons.
  Want real protection? Use AdBlock and NoScript, or at least run your browser in a sandbox or VM. Antivirus tends to be ineffective against malvertising, which seems to be the #1 infection vector these days.
7. Re:Anyone still uses that crud? by jnork · 2016-01-12 11:39 · Score: 1
  
  ...because I only ever use passwords while in my office.
  
  --
  Cleverly disguised as a responsible adult.
8. Re:Anyone still uses that crud? by hairyfeet · 2016-01-12 15:48 · Score: 1
  
  MSE almost always scores right at the bottom of AV tests, in fact several AV tests have used MSE in the past as the lower bound for how an AV should perform. this really is not surprising since it was never designed to even be an AV, it was originally Giant Anti-spy which MSFT just bought and rebranded.
  MSE is fine if all you really need is a simple file scanner, something like ClamWin but which automatically scans files instead of doing it manually, but as the AV for a system that might actually encounter real nasties? Yeah...no. Avast, Avira, or Comodo IS if you want a free AV, all of which score higher than MSE while not slowing your system to a crawl like AVG or McCrapee. I've put MSE to the test quite a few times at the shop and I can honestly say I have yet to see it stop a malware infected page whereas all of the above will kill a page load if it detects nasties.
  Don't get me wrong, MSE has its uses, the system I'm typing this on has MSE, but its a gamer rig where the only browsing is done on a sandboxed browser inside a VM, but how many normal users are gonna go to all that trouble? If the only thing between you and the nasties is your AV I'd strongly suggest you pick something else, MSE just isn't up to the task. Oh and before somebody chimes in with "Then why the hell are you using it?" the answer is VERY simple..this is a gamer rig. The only files this system ever touches from the web is the occasional fix for older games so for scanning those? MSE works fine and doesn't affect my frames per second.
  If any malware magically figures out how to get past my low rights mode browser AND a stripped down Windows 7 with almost no services running AND the VM its running in? Then frankly no AV in the world is gonna stop that magic bug, so I might as well use the lightest thing they make which is MSE. For my system at work as well as my family? Its Comodo and Avast.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
9. Re:Anyone still uses that crud? by Arterion · 2016-01-16 17:36 · Score: 1
  
  I always used System Center Endpoint Protection on Windows 7 systems.
  
  --
  "That which does not kill us makes us stranger." -Trevor Goodchild
Just wow ... by gstoddart · 2016-01-12 06:33 · Score: 4, Insightful

The stupidity of this is epic.
So you've got a security product, and users can be idiots and give you all their passwords ... and then using unsuitable technology you're going to reveal them.
Jesus fucking Christ on a flaming pogo stick ... a password manager written in javascript??? It opens multiple HTTP RPC ports????
Are Trend that lazy and incompetent and just pushing crap out the door so they can claim to have one??? And we're supposed to trust you to have a security product???
This is beyond belief. It sounds like they're just phoning it in, and people should be loudly told to stay away from this pile of crap.

--
Lost at C:>. Found at C.
1. Re:Just wow ... by fustakrakich · 2016-01-12 06:46 · Score: 1
  
  Wait a minute... A password "manager"? On your computer? Attached to the internet??
  Ohhh, Muurrrrder! I mean, who cares if it's written in Emacs, or straight up binary?
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:Just wow ... by phantomfive · 2016-01-12 06:47 · Score: 3, Insightful
  
  It just shows that many antivirus products are more marketing than product. Which isn't surprising, considering how much they advertise.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:Just wow ... by gstoddart · 2016-01-12 06:55 · Score: 1
  
  Accepting incoming connections makes no sense at all.
  If it bends over and hands out your password to any passerby who stumbles on an open port, then everyone will care.
  Password managers need to handle encryption, not just take incoming API calls, and generally act like security makes a difference.
  Reading TFA indicates this is none of those things.
  You could take some time and competently write this in damned near anything -- even emacs if it's got a decent crypto library. Or you can do what it sounds like Trend did, and incompetently throw something together which kinda looked like a password manager.
  Opening up HTTP ports for RPCs??? No, sorry, you don't get to pretend that's anything but idiotic.
  This screams of some first year programming project, which then created a whole host of terrible security holes which Trend was either unable, or unwilling to spend time understanding.
  
  --
  Lost at C:>. Found at C.
4. Re:Just wow ... by Coren22 · 2016-01-12 07:16 · Score: 1
  
  It even comes free with their antivirus product. I am glad I never used it.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
5. Re:Just wow ... by gstoddart · 2016-01-12 07:18 · Score: 2
  
  Hilarity ensure
  Grammatically incorrect, but eerily semantically accurate.
  
  --
  Lost at C:>. Found at C.
6. Re:Just wow ... by Billly+Gates · 2016-01-12 08:54 · Score: 1
  
  Trendmicro always had bad ratings with av-total and other security firms in terms of crippling performance. Good news is really bad ones like Norton have improved in this area. My figure is if the product slows down performance then it has to be poorly coded. My guess is right after hearing this
  
  --
  http://saveie6.com/
7. Re:Just wow ... by Coren22 · 2016-01-12 09:00 · Score: 1
  
  It is an optional installation. I said no to the install when it asked if I wanted the free product.
  
  --
  APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
8. Re:Just wow ... by s_p_oneil · 2016-01-12 09:43 · Score: 3, Insightful
  
  It's possible the developer was clueless, but it's also possible something more like this happened:
  1) Developer writes rapid prototype in JavaScript intending to convert it to C.
  2) PHB sees it and says "Wow, that's great! No time to perfect it! We gotta get this feature out the door now!"
  3) Developer says "...but..."
  4) PHB says: "No buts, we'll fix it in the next release." (unless something else important comes up, which has a statistical probability of nearly 100%)
  I've seen both happen plenty of times in software development.
9. Re:Just wow ... by phantomfive · 2016-01-12 11:22 · Score: 1
  
  I guess that's why you shouldn't make prototypes......you'll probably never get a chance to make the "real thing"
  
  --
  "First they came for the slanderers and i said nothing."
10. Re:Just wow ... by tibit · 2016-01-13 01:51 · Score: 1
  
  If you want a password manager written in Javascript, there are ways of doing it properly. Clipperz.is is a good example. First and foremost, it is open source. Secondly, it lets you export a read-only copy of the application as a single, self-contained html file that you can run locally and export from again. Or you can export cleartext json+html if you wish to transfer the data elsewhere. Furthermore, everything is encrypted by default and no cleartext leaves your browser. Cleartext is extracted on as-needed basis, so even if you did a RAM dump from a running instance in a browser, all you'd get is the currently open entry and the some of the session keys that would require further reverse-engineering to be of any use. And they have had a third-party security audit done that identified a few problems that were promptly fixed.
  You can run it on your own backend, or on Clipperz's.
  But perhaps I should stay quiet lest someone like Trend Micro buys them out and fucks it for everyone.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
Dang it! by Anonymous Coward · 2016-01-12 06:36 · Score: 1

The NSA probably helped add this "flaw" and promised to pay the TrendMicro CEO $5M per year hush money. Now that it is fixed, he will have to give up all that easy money.
1. Re:Dang it! by chispito · 2016-01-12 08:11 · Score: 1
  
  The NSA probably helped add this "flaw" and promised to pay the TrendMicro CEO $5M per year hush money. Now that it is fixed, he will have to give up all that easy money.
  Humorous, but the NSA aren't stupid and wouldn't pay for such low hanging fruit.
  
  --
  The Daddy casts sleep on the Baby. The Baby resists!
User-Agent: Secure Browser by Anonymous Coward · 2016-01-12 06:37 · Score: 1

Enough said
You used what to write what? by xxxJonBoyxxx · 2016-01-12 06:38 · Score: 4, Insightful

>> The password manager in Trend's antivirus product is written in JavaScript
You're letting your web app developers write security software now? How is Trend still even in business?
1. Re:You used what to write what? by gstoddart · 2016-01-12 06:49 · Score: 2
  
  No, they're letting their web developers pretend to write security software, when they clearly have no idea of what the hell they're doing.
  This sounds like something you get summer students or a random web-site to code for you.
  I can't decide if this is gross incompetence, or outright fraud.
  
  --
  Lost at C:>. Found at C.
2. Re:You used what to write what? by phantomfive · 2016-01-12 06:51 · Score: 5, Insightful
  
  Trend is in business because Antivirus is more about marketing than about actually solving any problems.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:You used what to write what? by ThatsNotPudding · 2016-01-12 06:53 · Score: 1
  
  You're letting your web app developers write security software now? How is Trend still even in business?
  Underwritten by the NSA. In light the Juniper scandal, I mean this seriously.
4. Re:You used what to write what? by geekmux · 2016-01-12 08:05 · Score: 1
  
  Antivirus software is a business because Antivirus is more about marketing than about actually solving any problems.
  There we go, FTFY.
  Antivirus is nothing more than yet another insurance policy.
  Corporations run it so they can claim some level of valid defense if they get infected, but other than bullshit legal wranglings, it pretty much does fuck-all to actually protect the enterprise.
5. Re:You used what to write what? by Billly+Gates · 2016-01-12 09:13 · Score: 1
  
  I disagree.
  Modern AV combined with ad blocking software makes a computer somewhat usable for the internet. As someone who supports pcs modern AV software monitors processes and inspects services to make sure no suspicious activity happens.
  
  --
  http://saveie6.com/
6. Re:You used what to write what? by phantomfive · 2016-01-12 09:51 · Score: 1
  
  modern AV software monitors processes and inspects services to make sure no suspicious activity happens.
  If you're depending on that to keep computers safe, you're going to be sorely disappointed.
  All a virus writer has to do is test his malware against the major anti-virus software packages, to make sure it's not detected. Simple.
  
  --
  "First they came for the slanderers and i said nothing."
7. Re:You used what to write what? by whoever57 · 2016-01-12 16:07 · Score: 1
  
  Antivirus is nothing more than yet another insurance policy.
  No. Insurance pays out if you suffer a loss. AntiVirus? Go pound ... Antivirus is a business because it allows companies plausible deniability when they get compromised (in MBA speak "best practices").
  
  --
  The real "Libtards" are the Libertarians!
8. Re:You used what to write what? by geekmux · 2016-01-14 23:00 · Score: 1
  
  Antivirus is nothing more than yet another insurance policy.
  No. Insurance pays out if you suffer a loss. AntiVirus? Go pound ... Antivirus is a business because it allows companies plausible deniability when they get compromised (in MBA speak "best practices").
  Ironically, this exact reason was the "insurance" I was referring to. It does "pay out" in this sense because it grants companies this legal protection. Without this defense, risk and costs would be much higher.
As I always say. . . by smooth+wombat · 2016-01-12 06:39 · Score: 2

the more software you have installed the slower and more vulnerable your system becomes.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
The more you read, more stupid. Consult security by raymorris · 2016-01-12 06:53 · Score: 1

The you understand about their code in this case, the more stupid you see. Most flaws I can understand, someone overlooked something. These people at Trend Micro were beyond incompetent, utterly clueless.
Security professionals do exist who have been securing (and breaking) systems since the early days of the web. If you're a security company, hire a few of those people. Not only will they help you write software that doesn't stupidly open all of your customers to remote code execution, but by understanding how to write software that doesn't break when someone is trying to break it, we can also help you how to write software that doesn't break accidentally - reliable software.
If you're not a security company, but write web-enabled software, at least get someone qualified to spend an hour or two with you at key points in your design and implementation process. Suppose you have me come by for an hour meeting to go over the high-level architecture of your project, a meeting or two to address the lynch pin function(s) (encryption, authentication), and I spend an hour or two looking over the final product. Suppose you got someone who charges $200 /hour ($300 in California). You only need them for about 4 hours to get 80% of the benefit, so that's about $800 to make your software much more reliable while avoiding the $100 million fuck ups.
Re:The more you read, more stupid. Consult securit by phantomfive · 2016-01-12 07:06 · Score: 1

Trend Micro already outsourced their QA to Taiwan, so I don't expect they're looking to increase payroll much.

--
"First they came for the slanderers and i said nothing."
Obligatory: All Your Password are Belong to Us by wisnoskij · 2016-01-12 07:55 · Score: 1

http://i.imgur.com/1nyVayo.jpg

--
Troll is not a replacement for I disagree.
Wait, what???? by QuietLagoon · 2016-01-12 08:02 · Score: 1

"...The password manager in Trend's antivirus product is written in JavaScript ..."
.
Un - friggin' - believable.
Re:AppScript for apping APPS, not LUDDITE password by zlives · 2016-01-12 08:33 · Score: 2

even this is relevant... how sad
we're using something called 'APK' over here by SethJohnson · 2016-01-12 09:09 · Score: 4, Funny

Two weeks ago, my boss had us all download and install a few files described as 'APK'. She assured me it would protect our desktop machines from any and all potential malware threats. So far, I can't say she's wrong.

The weird thing is that when I try to search for reviews of this product, everything that turns up in Bing seems to be written by people with mental disorders. I guess it's probably anti-astroturfing by commercial competitors.

--
$5 / month hosted VPS on linux = awesome!
Re:AppScript for apping APPS, not LUDDITE password by amicusNYCL · 2016-01-12 11:00 · Score: 1

we know it's you, sexconker

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Our diversity and multicultural workforce are key by Teriblows · 2016-01-13 17:43 · Score: 1

So much for that... https://archive.is/jdOHs