Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patch Out For 'Ridiculous' Trend Micro Command Execution Vulnerability (theregister.co.uk)

Posted by msmash on from the why-do-we-fall,-mr-wayne? dept.

An anonymous reader shares a report on The Register: A bug in its software meant that Trend Micro accidentally left a remote debugging server running on customer machines. The flaw, discovered by Google's Project Zero researcher Tavis Ormandy, opened the door to command execution of vulnerable systems (running either Trend Micro Maximum Security, Trend Micro Premium Security or Trend Micro Password Manager). Ormandy -- who previously discovered a somewhat similar flaw in Trend Micro's technology -- described the latest flaw as 'ridiculous'. Trend Micro issued a patch for the flaw, a little over a week after Ormandy reported the bug to it on 22 March. The patch is not complete but does address the most critical issues at hand, according to the security firm.

4 of 31 comments (clear)

  1. Guys, it's ok! by phantomfive · · Score: 4, Funny

    Fortunately, Trend Micro won an award, they're the best at stopping zero day threats! So it's not a problem, keep using your anti-virus.

    --
    "First they came for the slanderers and i said nothing."
  2. Who still uses Anti-Virus? by Anonymous Coward · · Score: 3, Funny

    I'm pretty sure Trend Micro causes autism.

  3. Glass house by sinij · · Score: 4, Interesting

    Welcome to realization that this is normal. Not even new normal, as it always been this way.

    Pretty much any vendor out there that produces software or IT hardware doesn't effectively test it. IT vendors that take QA seriously are very very rare, most just don't take testing seriously. This is further complicated by the fact that QA is seen as a dead-end IT career. Universally lower pay matches this outlook. Consequently, hiring and retaining good QA is very challenging as anyone competent constantly attempting to move away from it.

    1. Re:Glass house by phantomfive · · Score: 3, Insightful

      IT vendors that take QA seriously are very very rare, most just don't take testing seriously.

      Security vulnerabilities aren't something you can expect QA to find, it's not what they do. If you want secure code, you need to be thinking about security starting in the design phase, and keep thinking about it until release (and beyond). You can't just test for security at the end of the process, that strategy guarantees failure.

      --
      "First they came for the slanderers and i said nothing."