Posted by Robert Vamosi on February 25, 2016
Software intended to protect your computer from malware and remote attackers shouldn’t be vulnerable to exploitation, yet that is what one security researcher is finding.
Ormandy spoke out in his disclosure. “I don’t even know what to say—how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?”
Trend Micro responded in a blogpost, thanking the researcher and announcing it has updated its antimalware suite to close the vulnerability. A more technical response from the company provides more detail.
This wasn’t Ormandy’s first disclosure regarding an antivirus vendor. At the end of December, he also reported a vulnerability in a Chrome browser extension from security firm AVG that exposed the browsing history, cookies, and personal data of up to 9 million active users of the product to attackers.
“We thank the Google Security Research Team for making us aware of the vulnerability with the Web TuneUp optional Chrome extension,” AVG wrote in an email to SC Magazine. “The vulnerability has been fixed; the fixed version has been published and automatically updated to users.”
Ormandy has also disclosed vulnerabilities in Kaspersky Lab, FireEye, and Sophos antimalware products. In 2011, the researcher presented his findings against Sophos in a talk at Black Hat, saying “[Antivirus firms’ marketing materials] are high level double speak. They make up Hollywood-sounding names, but there’s little technical substance.”