How safe are security products? First AVG, now TrendMicro with major flaws
Google researcher Tavis Ormandy discovered a major flaw in the password manager component of TrendMicro Antivirus for Windows recently that had several major security issues that would, among other things, allow websites to run arbitrary commands, expose all stored passwords, or run a "secure browser" that is not secure at all.
It seems that Google is currently investigating security products on Windows, and there especially those that interact with the Chrome web browser or Chromium in one way or the other.
The company shamed AVG openly in the beginning of January for its Web TuneUp extension for Chrome as security flaws put the 9 million Chrome users who use it at risk.
TuneUp, installed with AVG security software or separately, put Chrome users at risk by disabling "web security" for Chrome users who had installed the extension.
AVG produced a fix eventually (needed two attempts for that, the first was rejected as it was not sufficient).
TrendMicro Password Manager security issue
And now it is Trend Micro that gets shamed openly by Google. According to Ormandy, the Password Manager component is the culprit this time which is installed automatically with TrendMicro Antivirus for Windows and runs on start (and also available as a standalone program and app).
It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().
This means any website can launch arbitrary commands[..]
In a reply to an employee of TrendMicro Ormandy added the following information:
Hey, just wanted to check if there's any update here? This is trivially exploitable and discoverable in the default install, and obviously wormable - in my opinion, you should be paging people to get this fixed.
FWIW, it's even possible to bypass MOTW, and spawn commands without any prompts whatsoever. An easy way to do that (tested on Windows 7), would be to auto-download a zip file containing an HTA file, and then invoke it [..]
The first build that TrendMicro sent over to Travis Ormandy for verification fixed one of the major issues of the program (the use of ShellExecute), but that did not take care of other issues spotted during the rough examination of the code.
Ormandy noted for instance that one of the APIs used by TrendMicro spawned "an ancient" build of Chromium (version 41 of the browser which is now available as version 49) and that it would disable the browser's sandbox on top of that to offer a "secure browser" to its users.
His reply to TrendMicro was blunt:
You were just hiding the global objects and invoking a browser shell...? ...and then calling it "Secure Browser"?!? The fact that you also run an old version with --disable-sandbox just adds insult to injury.
I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?
Last but not least, Ormandy discovered that the program offered a "nice clean API for accessing passwords stored in the password manager", and that anyone c just read all of the stored passwords".
Users are prompted on installation to export their browser passwords, but that's optional. I think an attacker can force it with /exportBrowserPasswords API, so even that doesn't help. I sent an email pointing this out:
In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course.
The issue appears to have not been fixed completely at the time of writing despite TrendMicro's efforts and several patches the company produced in the past couple of days.
Security software inherently insecure?
The main question that should come out of this is "how secure are security products"? Two major issues in two products by major players in the antivirus field are cause for concern, especially since there is a chance that they are not the only ones that don't seem to have secured their own products properly.
For end users, it is nearly impossible to tell that something is wrong which leaves them in a precarious situation. Can they trust their security solution to keep their data safe, or is it the very software that should secure their computers that is putting it at risk?
A string of security applications here (the list is not the topic), both system-wide and browser specific, but no anti-virus, anti-malware as such. I’ve always privileged protection modules with specific arrays of protection to bloated all-in one (or several-in-one) so called anti-malwares, Internet Security and so on. Later on, reading several years ago a report on a critical flaw concerning a Norton product (don’t remember what application, but it had to do with anti-virus I think), then an article stating that 80% of CIOs considered these anti-x softwares at best as neutral, I opted for a “side” approach for my Internet connections and system protection. Never had a problem since then.
Oldie but a goodie. i doubt a lot of those vendors fixed all the bugs/retarded concepts on how their software is made up
Thanks a Ton for sharing this slideshow!
It is indeed an eye-opener.
You know, I miss the days when a antivirus scanner was just that, and not all this extra crap thrown in “for your protection”. Just give me something that does a quick scan when running the file, does a quick scan in the background, and can scan a file on request.
Nowadays virus scanners are such a mess of system hogging crap and serves their own adware to the user… annoying as hell.
AV web services are basically a MiTM attack that does more harm than good. I will allow a file protection service to run as my 30th level of defense (and I guess for non-power users it is handy for alerts such as updating flash or whatever), but I will never allow it to interfere with my traffic or email or any other content thru dodgy certs and inject ads and data mine me, and put me at risk. Never seen anything but a few false alerts in the last 15 years anyway – despite all my dodgy surfing and file running.
You would probably have more alerts if you would stop cutting off the program during hairy midget goat porn…lol.
Actually, Pants is right. There is no way for an AV to scan the encrypted content that is delivered to you unless it can somehow decrypt it. This can happen as a MiTM attack or by using a browser extension that can access the unencrypted web traffic; but basically you give the AV the power to inspect/modify your encrypted traffic.
Note: When I talk about encrypted traffic I am referring to SSL.
“Actually, Pants is right.”
Ahhh .. such sweet sweet nectar to my ears .. flattery will get you everywhere, I have no shame :)
I wouldn’t trust a word from such “projects”. It’s nobody’s business to set up such shops except to pay up someone under the table.
I’m joking with Pants, but these AV programs are constantly evolving seems like now. They want to be everything. Malware protection, firewall, or mini firewall and etc. From what I read from Norton one time Malware was the big thing now and they were going to have to change the way they did things. What ever that means.
This is where I agree with Pants, I don’t want AV messing with my email and certain things. I heard that years ago try not to let that happen.
I think it something has to do with more sinister reasons. They are ballooning and inflating the code so they can also be used as something else (think of it as some sort of virtual real estate that might be traded as secret NSA/CIA commodity). There seems to be a ongoing trend in all areas of public computing. It’s as if they are doing the donkey carrot thing only in more evil manner.
No security product is secure it’s just snaik oil. The OS mechanism are pretty good if you choose the correct OS and try to figure out the given option, like AppGuard and so.
They just playing with the fears of people to promote there products, which would be okay as long if they are objective but they aren’t.
A good solution should explain first how to harden the OS and not like the usally way, install on an weak OS/configuration and try to fix stuff, which is horrible wrong imho. Better would to determinate OS status before installing and change OS wide params instead of installing useless 100 of megabytes for engines that not change anything OS related.