Patch Out For 'Ridiculous' Trend Micro Command Execution Vulnerability

An anonymous reader shares a report on The Register: A bug in its software meant that Trend Micro accidentally left a remote debugging server running on customer machines. The flaw, discovered by Google's Project Zero researcher Tavis Ormandy, opened the door to command execution of vulnerable systems (running either Trend Micro Maximum Security, Trend Micro Premium Security or Trend Micro Password Manager). Ormandy -- who previously discovered a somewhat similar flaw in Trend Micro's technology -- described the latest flaw as 'ridiculous'. Trend Micro issued a patch for the flaw, a little over a week after Ormandy reported the bug to it on 22 March. The patch is not complete but does address the most critical issues at hand, according to the security firm.

Re:Guys, it's ok!

The last AV I used was on MS DOS, Invirsible, and it used a heuristic approach: It set out a trap for viruses, so that when they infected the file it knew how the files were infected and could (usually) reverse the process.

Shortly after that I began using Linux (back when you had to arrange for its boot image to be written to the MBR manually). I haven't had any need for AV since. This is because an AV is only as good as the software updates are bad. Linux has good software updates, which means that the exploit vectors are patched at the same rate that an AV would release updates. AVs are only needed where the software isn't patched fast enough. Linux is patched fast enough, windows and OSX aren't.

Captcha: Imperil.

Re:Glass house

[phantomfive]

IT vendors that take QA seriously are very very rare, most just don't take testing seriously.

Security vulnerabilities aren't something you can expect QA to find, it's not what they do. If you want secure code, you need to be thinking about security starting in the design phase, and keep thinking about it until release (and beyond). You can't just test for security at the end of the process, that strategy guarantees failure.