Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch Out For 'Ridiculous' Trend Micro Command Execution Vulnerability (theregister.co.uk)

Posted by msmash on from the why-do-we-fall,-mr-wayne? dept.

An anonymous reader shares a report on The Register: A bug in its software meant that Trend Micro accidentally left a remote debugging server running on customer machines. The flaw, discovered by Google's Project Zero researcher Tavis Ormandy, opened the door to command execution of vulnerable systems (running either Trend Micro Maximum Security, Trend Micro Premium Security or Trend Micro Password Manager). Ormandy -- who previously discovered a somewhat similar flaw in Trend Micro's technology -- described the latest flaw as 'ridiculous'. Trend Micro issued a patch for the flaw, a little over a week after Ormandy reported the bug to it on 22 March. The patch is not complete but does address the most critical issues at hand, according to the security firm.

31 comments

  1. Guys, it's ok! by phantomfive · · Score: 4, Funny

    Fortunately, Trend Micro won an award, they're the best at stopping zero day threats! So it's not a problem, keep using your anti-virus.

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Guys, it's ok! by Coren22 · · Score: 1

      I let my subscription lapse. I figure I am better off just using Windows Defender.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    2. Re:Guys, it's ok! by Anonymous Coward · · Score: 1, Insightful

      The last AV I used was on MS DOS, Invirsible, and it used a heuristic approach: It set out a trap for viruses, so that when they infected the file it knew how the files were infected and could (usually) reverse the process.

      Shortly after that I began using Linux (back when you had to arrange for its boot image to be written to the MBR manually). I haven't had any need for AV since. This is because an AV is only as good as the software updates are bad. Linux has good software updates, which means that the exploit vectors are patched at the same rate that an AV would release updates. AVs are only needed where the software isn't patched fast enough. Linux is patched fast enough, windows and OSX aren't.

      Captcha: Imperil.

    3. Re:Guys, it's ok! by phantomfive · · Score: 1

      Linux has good software updates, which means that the exploit vectors are patched at the same rate that an AV would release updates

      That's a good point, I'd never thought of it like that before.

      --
      "First they came for the slanderers and i said nothing."
    4. Re:Guys, it's ok! by Anonymous Coward · · Score: 0

      It didn't seem to do much at the time of conficker, at some point it even stopped detecting malware that it previously could detect.

  2. Who still uses Anti-Virus? by Anonymous Coward · · Score: 3, Funny

    I'm pretty sure Trend Micro causes autism.

  3. Remember, only apps can app apps! by Anonymous Coward · · Score: 0

    The LUDDITES at Trend Micro mixed appy app apps with their LUDDITE software, which is how this security vulnerability slipped through! If they only used apps like modern app appers, everything would be 100% appy!

    Apps!

  4. Accidental remote command execution? by Anonymous Coward · · Score: 0

    "Whoops!" --NSA

    Accidental, my arse. Yet another company who can't be trusted.

    1. Re:Accidental remote command execution? by Anonymous Coward · · Score: 1

      "Whoops!" --NSA

      Accidental, my arse. Yet another company who can't be trusted.

      The Slashdot inline summary for your post was awesome: NSAAccidental, my arse.

      I think this should be coined as a new term: NSAccidental pronounced N-S-Accidental

  5. Glass house by sinij · · Score: 4, Interesting

    Welcome to realization that this is normal. Not even new normal, as it always been this way.

    Pretty much any vendor out there that produces software or IT hardware doesn't effectively test it. IT vendors that take QA seriously are very very rare, most just don't take testing seriously. This is further complicated by the fact that QA is seen as a dead-end IT career. Universally lower pay matches this outlook. Consequently, hiring and retaining good QA is very challenging as anyone competent constantly attempting to move away from it.

    1. Re:Glass house by phantomfive · · Score: 3, Insightful

      IT vendors that take QA seriously are very very rare, most just don't take testing seriously.

      Security vulnerabilities aren't something you can expect QA to find, it's not what they do. If you want secure code, you need to be thinking about security starting in the design phase, and keep thinking about it until release (and beyond). You can't just test for security at the end of the process, that strategy guarantees failure.

      --
      "First they came for the slanderers and i said nothing."
    2. Re: Glass house by Anonymous Coward · · Score: 1

      Well, clearly no one at trend micro was thinking about security at any part of the development process, because if they did they wouldn't have left a remote debugging server built into a commercial anti virus program that typically runs with admin rights. So in this case, if some QA guy did a quick port check and just so happened to find the debugging server, I think testing for it would have helped.

      Security is an in depth business. QA is just as much a part of that business as any other part of the process. In fact QA is especially important as it's their job to try and catch what the automatic tests and the devs failed to catch before the product ships and becomes someone else's vulnerability. Unfortunately, because anything QA finds is considered someone else's problem, and fixing it would make the product miss it's shipping date (set by marketing), and cost more money outside the development budget (set by the corporate bean counters), QA's importance to having a healthy industry is downplayed to boost profits. So we get shit like having a damn remote debugging server in a security product. This is the reason I support requiring fines close to bankruptcy for companies that do this shit. Only once the cost of not hardening your damn product far outweighs the cost of doing so, will these companies change.

    3. Re:Glass house by sinij · · Score: 1

      I disagree. Remote debugging was left on. This is something I do expect QA to catch.

    4. Re:Glass house by Anonymous Coward · · Score: 0

      Security vulnerabilities aren't something you can expect QA to find, it's not what they do. If you want secure code, you need to be thinking about security starting in the design phase, and keep thinking about it until release (and beyond). You can't just test for security at the end of the process, that strategy guarantees failure.

      The thing is that the fact they built a debug console and used it for testing is likely a good thing. The thing is that it somehow made it past everyone and into a released product. The fault is not where you claim it to be, its that they did a shoddy job between unit testing and release to remove the test components. This is actually very ridiculous as well, they should actually be in different parts of the tree.

    5. Re:Glass house by phantomfive · · Score: 1

      That's a build engineer's job.

      --
      "First they came for the slanderers and i said nothing."
    6. Re:Glass house by Cili · · Score: 1

      QA should be able to catch build bugs too.

  6. Hosts = better antivirus than antivirus by Anonymous Coward · · Score: 1, Interesting

    APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

    * Less power/cpu/ram+ IO use vs. local DNS servers + addons w/ less security issues vs. DNS + routers. Less complex vs firewalls (needing layered filtering drivers - hosts don't + firewalls block less used IP addresses, hosts block more used host-domain names) complimenting 'em. Antivirus = reactive. Hosts = proactive, blocking infection BEFORE you get it. Gets its data from 10 reputable security community sites.

    APK

    P.S. - Hosts get you more speed (hardcodes + adblocks) & faster vs. addons, security (vs. bad sites/dns security issues), reliability (vs. downed/poisoned dns), & anonymity (dns requestlogs/trackers) vs. other "so-called -solutions'" w/ what you natively have. Unlike Adblock/UBlock/Ghostery, hosts != blockable by ClarityRay/BlockIQ... apk

    1. Re:Hosts = better antivirus than antivirus by phantomfive · · Score: 1

      Hosts = better antivirus than antivirus

      In this case, I guess it's probably true. As long as you include keeping your patches up to date.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Hosts = better antivirus than antivirus by Anonymous Coward · · Score: 0

      So assuming I use "host file protection" to block viruses, and then I go to a website, which I trust, that has drive by malware, how does my using host files help? Hosts file only works if you know, in advance, that you cannot trust the end point. Likewise, let's say the PC next to me, in my LAN, has an infection that's spreading (a worm). How does a hosts file help, here?

      Without losing your shit, for once, actually answer the question. Don't write a 20 page thesis ranting about how the world conspires against you and quoting some irrelevant article from 2002. Don't attack me personally. Just simply explain how a hosts file with a shit tonne of redirects to localhost protects against hosts that you don't know about in advance or internally infected machines.

    3. Re: Hosts = better antivirus than antivirus by Anonymous Coward · · Score: 0

      No, it's not. The whole hosts process requires someone to get infected and report to a list maintainer and then updated and each PC.

      What percentage of infections are on newbies who don't know how to report or find the infecting server?

      Better than nothing, not better than AV.

    4. Re: Hosts = better antivirus than antivirus by Anonymous Coward · · Score: 0

      Wrong. A process you speak of is antivirus reactiveness. Hosts = more proactive blocking infestation in dozens of security researcher sources for protective data out there for hosts. You can't get sick if you can't touch the disease. It never reaches your system. With antivirus it has to reach it and by then there's no guarantee it can remove infection either.

    5. Re: Hosts = better antivirus than antivirus by Anonymous Coward · · Score: 0

      Explain Tavis Ormandy finding exploitable security issues in all antiviruses bigshot http://www.bing.com/search?q=t...

  7. Purely theoretical bs but here goes... apk by Anonymous Coward · · Score: 0

    See subject: It would hold true on antivirus also (if they don't have signatures vs. a new one & "heuristics" usually trigger false positives, I know, I've had to overturn them on programs of mine like this one & was successful against all 10 antiviruses that did that mistake) - anyone can think of a scenario like that! E.G.-> "What if the sky was filled with a huge asteroid that is about to hit earth, where would you run to protect yourself?".

    Anyhow/anyways: Just don't use the main delivery mechanisms (above malvertising) for malware in java, javascript or flash - you should be ok.

    Javascript's ONLY really mandatory on sites that do e-commerce or db access. If you don't need that don't do it (same with FLASH or java) & you'd be safest of all. I surf /. here just fine minus javascript. It's doable for MOST sites.

    APK

    P.S.=> There's your answer vs. your theoretical bs... apk

    1. Re:Purely theoretical bs but here goes... apk by Anonymous Coward · · Score: 0

      So. Much. Autism.

    2. Re: Purely theoretical bs but here goes... apk by Anonymous Coward · · Score: 0

      You didn't answer shit. You said false positives happen and are bad (same happens for hosts file lists).
      You said turn off some features, which is also silly.

      Non fucking answer.

    3. Re: Purely theoretical bs but here goes... apk by Anonymous Coward · · Score: 0

      Hosts blocks sources of infestation before you get it. For antivirus to work you have to be sick first. Hosts wins there by a longshot. Hosts protective data is updated daily by dozens of security researchers and very easily using apk's program.

    4. Re: Purely theoretical bs but here goes... apk by Anonymous Coward · · Score: 0

      Why speak of yourself in the 3rd person? Everyone knows this *is* APK responding. You have, of course, still failed to answer the questions. I'll try asking it again but we all know you won't even try to answer it. If you don't ALREADY block the host, then the connection will be allowed. So if Host_A is not blocked, then gets infected, host file blocking won't stop you going to Host_A. So, in clear English, please explain how host file blocking works against UNKNOWN infections.

    5. Re: Purely theoretical bs but here goes... apk by Anonymous Coward · · Score: 0

      Why do you post with no registered name hypocrite? Explain Tavis Ormandy's findings in all antiviruses of exploitable security issues in them http://www.bing.com/search?q=t...

  8. Antivirus = useless (Symantec) + Tavis Ormandy by Anonymous Coward · · Score: 0

    http://www.pcworld.com/article... & antivirus adds on more slowing bloat. Hosts speed you up 2 ways by comparison! See subject and it's useless vs unknowns often failing causing false positives as apk noted and thus they're useless crap that slows up computers and doesn't work. Even Symantec said so against modern threats. Hosts updated daily by the 1,000's in known bad sites that deliver malware does work. The odds do the rest for others not caught thus. It has been a pleasure shutting you up. By the way. Ask Tavis Ormandy how many SECURITY FLAWS HE'S FOUND IN ALL ANTIVIRUSES LATELY TOO!

  9. LOL! Antivirus can't even protect itself proof by Anonymous Coward · · Score: 0

    Tavis Ormandy found exploitable security issues in all antiviruses that are used by malware http://www.bing.com/search?q=t...

    * Antivirus is ONLY as good as its signatures database and is FAR more 'reactive' in that you must be infested for it to work in the 1st place which hosts stops before THAT can happen!

    Again - see the above?

    It's already BEEN EXPLOITED to fool antivirus making it useless... plus Symantec has said "Antivirus = useless vs. modern threats" too!

    APK

    P.S.=> You're also a FOOL for trusting ANY website to be 'safe' stupid - disabling scripting as I said is your BEST PROTECTION vs. infestation (where possible for minimum functionality as I said before), Flash & Java are the same risk too... apk