This one’s a head scratcher, but a thread on Google Code has revealed that Trend Micro exposed its antivirus customers to attack, after it installed a wide-open Node.js server by default on its customers’ computers.
The Node.js server is part of Trend Micro’s ‘Password Manager’ utility and installed with the company’s antivirus software, as well as being set to open at startup, by default.
Another conference. “Great.”
This one’s different, trust us. Our new event for New York is focused on quality, not quantity.
If you thought it couldn’t get any worse, it does.
Trend Micro also adds a self-signed security certificate to the user’s certificate store, so the user won’t see any HTTPS errors.
Tavis Ormandy, a researcher at Google’s Project Zero vulnerability team, wrote in the thread that “this thing is ridiculous.”
As research into the flaw continued, Ormandy found that an attacker could silently steal the passwords stored in Trend Micro’s safe and decrypt them, all using the original flaw, telling the company that “I really hope the gravity of this is clear to you, because I’m astonished about this.”
He then recommends that the company disable the feature, to protect users:
In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course.
Ultimately, Trend Micro chose not to disable the tool, instead issuing an emergency fix to disable the first vulnerability two days ago.
The issue was first disclosed to Trend Micro on January 5, but wasn’t resolved until today — even now it’s only partially fixed, with the company issuing an emergency patch.
In response to Trend Micro dragging its heels, Ormandy said that he “[doesn’t] even know what to say – how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?”
The thread is now public and it’s an incredible insight into how enterprise-grade antivirus software, which is supposed to protect users against threats, actually left them wide open to attack.