Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trend Micro Flaw Could Have Allowed Attacker To Steal All Passwords (csoonline.com)

Posted by Soulskill on from the of-barn-doors-and-horses dept.

itwbennett writes: Trend Micro has released an automatic update fixing the problems in its antivirus product that Google security engineer Tavis Ormandy discovered could allow "anyone on the internet [to] steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction." The password manager in Trend's antivirus product is written in JavaScript and opens up multiple HTTP remote procedure call ports to handle API requests, Ormandy wrote. Ormandy says it took him 30 seconds to find one that would accept remote code. He also found an API that allowed him to access passwords stored in the manager. This is just the latest in a string of serious vulnerabilities that have been found in antivirus products in the last seven months.

12 of 62 comments (clear)

  1. Just wow ... by gstoddart · · Score: 4, Insightful

    The stupidity of this is epic.

    So you've got a security product, and users can be idiots and give you all their passwords ... and then using unsuitable technology you're going to reveal them.

    Jesus fucking Christ on a flaming pogo stick ... a password manager written in javascript??? It opens multiple HTTP RPC ports????

    Are Trend that lazy and incompetent and just pushing crap out the door so they can claim to have one??? And we're supposed to trust you to have a security product???

    This is beyond belief. It sounds like they're just phoning it in, and people should be loudly told to stay away from this pile of crap.

    --
    Lost at C:>. Found at C.
    1. Re:Just wow ... by phantomfive · · Score: 3, Insightful

      It just shows that many antivirus products are more marketing than product. Which isn't surprising, considering how much they advertise.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Just wow ... by gstoddart · · Score: 2

      Hilarity ensure

      Grammatically incorrect, but eerily semantically accurate.

      --
      Lost at C:>. Found at C.
    3. Re:Just wow ... by s_p_oneil · · Score: 3, Insightful

      It's possible the developer was clueless, but it's also possible something more like this happened:

      1) Developer writes rapid prototype in JavaScript intending to convert it to C.
      2) PHB sees it and says "Wow, that's great! No time to perfect it! We gotta get this feature out the door now!"
      3) Developer says "...but..."
      4) PHB says: "No buts, we'll fix it in the next release." (unless something else important comes up, which has a statistical probability of nearly 100%)

      I've seen both happen plenty of times in software development.

  2. You used what to write what? by xxxJonBoyxxx · · Score: 4, Insightful

    >> The password manager in Trend's antivirus product is written in JavaScript

    You're letting your web app developers write security software now? How is Trend still even in business?

    1. Re:You used what to write what? by gstoddart · · Score: 2

      No, they're letting their web developers pretend to write security software, when they clearly have no idea of what the hell they're doing.

      This sounds like something you get summer students or a random web-site to code for you.

      I can't decide if this is gross incompetence, or outright fraud.

      --
      Lost at C:>. Found at C.
    2. Re:You used what to write what? by phantomfive · · Score: 5, Insightful

      Trend is in business because Antivirus is more about marketing than about actually solving any problems.

      --
      "First they came for the slanderers and i said nothing."
  3. As I always say. . . by smooth+wombat · · Score: 2

    the more software you have installed the slower and more vulnerable your system becomes.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  4. Re:Anyone still uses that crud? by 110010001000 · · Score: 2

    What the hell? Who the hell isn't using Microsoft Security Essentials when they are using Windows? Eset NOD32???

  5. Re:AppScript for apping APPS, not LUDDITE password by zlives · · Score: 2

    even this is relevant... how sad

  6. Re:Anyone still uses that crud? by Anonymous Coward · · Score: 3, Insightful

    Antivirus is for checking off a box to make the legal eagles happy. It isn't for real protection, because most machines get nailed by 0-days or vulnerabilities in browser add-ons.

    Want real protection? Use AdBlock and NoScript, or at least run your browser in a sandbox or VM. Antivirus tends to be ineffective against malvertising, which seems to be the #1 infection vector these days.

  7. we're using something called 'APK' over here by SethJohnson · · Score: 4, Funny

    Two weeks ago, my boss had us all download and install a few files described as 'APK'. She assured me it would protect our desktop machines from any and all potential malware threats. So far, I can't say she's wrong.

    The weird thing is that when I try to search for reviews of this product, everything that turns up in Bing seems to be written by people with mental disorders. I guess it's probably anti-astroturfing by commercial competitors.

    --
    $5 / month hosted VPS on linux = awesome!