Software Integrity Blog


When your anti-malware program has a zero-day

Software intended to protect your computer from malware and remote attackers shouldn’t be vulnerable to exploitation, yet that is what one security researcher is finding.

Discovering password manager vulnerability

Earlier this month, Tavis Ormandy, a Google Project Zero security researcher, disclosed his latest such vulnerability, this time affecting Trend Micro’s Password Manager. He found that the anti-malware company installed a wide-open Node.js server by default on all its customers’ computers. The software flaw could, if executed, allow a remote attacker using JavaScript to hijack a user’s web browser and steal all their passwords. Worse, the flaw exists as long as you have the Trend Micro malware suite installed –even if you never use the password manager.

Ormandy spoke out in his disclosure. “I don’t even know what to say—how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?”

Trend Micro responded in a blogpost, thanking the researcher and announcing it has updated its antimalware suite to close the vulnerability. A more technical response from the company provides more detail.

This wasn’t Ormandy’s first disclosure regarding an antivirus vendor. At the end of December, he also reported a vulnerability in a Chrome browser extension from security firm AVG that exposed the browsing history, cookies, and personal data of up to 9 million active users of the product to attackers.

In response to the zero-day vulnerability

“We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension,” AVG wrote in an email to SC Magazine. “The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”

Ormandy has also disclosed vulnerabilities in Kaspersky Lab, FireEye, and Sophos antimalware products. In 2011, the researcher presented his findings against Sophos in a talk at Black Hat, saying “[Antivirus firms’ marketing materials] are high level double speak. They make up Hollywood-sounding names, but there’s little technical substance.”


More by this author