back to article Trend Micro AV gave any website command-line access to Windows PCs

PCs running Trend Micro's Windows antivirus can be hijacked, infected with malware, or wiped clean by any website, thanks to a vulnerability in the security software. The design blunders in the consumer build of Trend's AV were discovered by Google Project Zero bod Tavis Ormandy. A patch is now available to address the remote- …

  1. cbars Bronze badge

    //should probably remove this for prod

    Whoops.

    Well done Tavis

  2. David Roberts
    FAIL

    Fixed it?

    No, just fixed the first most glaringly obvious stupidity.

    Another 70 APIS to be checked, according to the report.

    Avoid!

    1. Aniya
      Unhappy

      Re: Fixed it?

      I can forgive a quick and temporary fix, but I cannot forgive a poor response and lack of reassurance that the bigger problem as a whole will be looked into and fixed. As has been said, this should not even have been a problem to begin with. This is not just a programming error. This is poor design right from the beginning. Poor design which should have been corrected a very long time before RTM.

      My friend recently talked about evaluating Trend Micro for their business.

      Not anymore!

  3. Anonymous Coward
    Flame

    "Tavis brought us a report of a possible vulnerability..."

    That sentence suggests one of:

    (1) Trend Micro really doesn't understand that being able to remotely launch executables from a privileged Windows service isn't a "possible" vulnerability, it's just about the biggest steaming PoS vulnerability possible.

    (2) Their engineers do understand this, but the PR & Marketing lads & lasses are so disconnected from engineering that they get to make up any old crap without review.

    (3) or maybe they just focus on scaring grannies with buzzwords and blandishments until they buy a copy and don't care whether it passes a engineer's smell test

    It sure doesn't inspire me to try their products...

    1. Adam 1

      Re: "Tavis brought us a report of a possible vulnerability..."

      Not least of which is a trivial command to add

      127.0.0.1 trendmicro.com

      to their victims hosts file while they think of something more exciting to do.

  4. CrosscutSaw

    Pick your poison

    Great. Just as I had replaced AVG with TM.

    1. PJF

      Re: Pick your poison

      Kaspersky, maybe?

      ... the enemy of my enemy is my friend...

      1. allthecoolshortnamesweretaken

        Re: Pick your poison

        "... the enemy of my enemy is my friend..."

        No.

        The enemy of my enemy is my enemy's enemy. No more. No less.

        Source: The Seventy Maxims of Maximally Effective Mercenaries (#29)

      2. RIBrsiq

        Re: Pick your poison

        "The enemy of my enemy is my friend".

        The enemy of my enemy is also my enemy.

        1. CrosscutSaw

          Re: Pick your poison

          So, they're all our enemy :(

          No Kaspersky... I've had the worst time with them the last couple of years. I honestly don't know how they are always rated high in AV tests. It blocked everything and made some machines hang, and of course uninstalling was terrible. ( I guess you can argue that about any of the others? yea our enemies )

    2. VinceH

      Re: Pick your poison

      "Great. Just as I had replaced AVG with TM."

      I've been using it for a good few years now and have even been recommending it to people. :/

    3. Anonymous Coward
      Anonymous Coward

      Re: Pick your poison

      Webroot. You won't look back. The past few years they've incorporated unique technology from Prevx and Threatfire. I have high confidence in their technical capability not to allow such vulnerabilities.

  5. mathew42
    Flame

    > I tell them I'm not going to go through them, but that they need to hire a professional security consultant to audit it urgently.

    WTF? I'm assuming as a security vendor Trend might have one or two security consultants on staff!

    1. Mark 85

      Probably only for OPS*, not their own from the way the article and the links read.

      *Other People's Stuff/Shiitte.

    2. NotBob
      Holmes

      Never assume competence.

  6. Mad_Max
    Pirate

    "Dear @trendmicro, wtf were you thinking?"

    Trend Micro what a bunch of clowns.

  7. Alan Denman

    Who pays the piper pays?

    Sponsored ineptness then?

  8. Shane Sturrock

    'Security' software is a scam

    Seriously, why are people still living with this junk. Well, MS in their wisdom let everyone run as admin and let them get used to it, and when Vista came out and they tried to fix it, everyone complained so they relaxed it for 7 and so on and so it is still just a simple click from a normal admin user to accept whatever the heck some piece of software is wanting to do. No password or anything, just click OK. If you ever look at the installers for Windows packages (and don't just accept the defaults) once you give it permission it will often want to install all sorts of other nasties and many are really sneaky about it too making it quite unclear to the typical user just what they're clicking OK to. Security in Windows is still very borked. So, with that in mind, we have 'security' software that tries to clean up the mess after the fact when the mess should never have happened in the first place if Windows had some decent security settings in the first place and a proper packaging system but that would be too hard for the delicate users who might actually have to think about what they're clicking on. Funny how the 'stupid' 'noob' 'more money than sense' Mac users manage to cope with settings which require administrator passwords when installing software, and signed packages from known vendors because a Mac comes out of the box with reasonable security. Yes yes, trojans etc and you can turn this stuff off if you want to but really, there's still a culture issue on Windows which can't be fixed by security software because trusting any tool that has the ability to make significant changes to your environment automatically is beyond foolish.

    5,4,3,2,1....hate hate hate panic mode down votes incoming......

    1. kryptylomese

      Re: 'Security' software is a scam

      You need to say "Install Linux" if you really want to get lots of down votes. I think Windows people use the down votes as a way of displaying how they feel about the products that they evangelise!

    2. goldcd

      Good point - but not really the point

      I'm sure OSX will let you install Trend (or anything else), prompt you for admin privs and will deploy itself in a beautifully organized fashion.

      If the thing you've just given admin privs to then happily allows itself to execute anything it finds on the web as admin - well you're just as equally f'd.

      1. Shane Sturrock

        Re: Good point - but not really the point

        Non-admins can install software on a Mac and that software will only get the rights of the user who installed it. This is due to how the packages are bundled because everything the application needs is in the app bundle and can be removed as easily as deleting that bundle once installed. Compared to the setup.exe and remove programs way on Windows, the Mac is light years ahead. Enforce signed packages and you're unlikely to get all that additional crap that the installers for Windows packages love to bundle by default. There are some packages (MacKeeper for instance) which I would define as malware and which are horrendously difficult by design to remove because it insists on having admin rights to install and then uses those rights to spread itself around the system like a hydra and when you try and remove it, it reinstalls the parts you removed. Getting that off my father-in-law's machine required booting the Mac into single user mode and then going through all the directories that it was spread through and removing them but it isn't common to have something as nasty as this and as I said, normal users are able to install packages without admin rights and use them just fine (each user has their own Applications folder) and those packages can't go making changes to the system. Unfortunately, implementing anything like this on Windows would result in the breaking of many older packages and MS lives and dies by backwards compatibility. My solution is to run Windows in a VM (snapshotted so I can roll back in case it screws up) and I can do whatever I need to and then close it back down. I don't run security software on it outside the basic MS supplied stuff because I don't use it much and I don't install much. Windows is the new classic environment, simply there for compatibility but never used for serious stuff.

        1. Adrian 4

          Re: Good point - but not really the point

          'Classic' ?

          I prefer to think of it as 'legacy'

    3. naive

      Re: 'Security' software is a scam

      Any OS in need of third party 'Security' software is a scam, since it are crutches supporting bad design choices. People who have a professional attitude towards IT should perhaps rethink, and trash all this costly Redmond crap requiring monthly WSUS updates, reboots and daily virus scanner updates.

      ((and let the down voting begin :) ))

      1. Archie Woodnuts

        Re: 'Security' software is a scam

        Apt user name.

      2. allthecoolshortnamesweretaken

        Re: 'Security' software is a scam

        So, in short, any OS out there is a scam?

        1. Anonymous Coward
          Anonymous Coward

          Re: 'Security' software is a scam

          "So, in short, any OS out there is a scam?"

          Don't think anyone's quite claiming that, but there's plenty of evidence to suggest that the widely known one(s) in widespread use leave a great deal to be desired from a security point of view. There's little public evidence either way in respect of the OSes that aren't in widespread use (e.g. ones from DEC, IBM, and more recent stuff such as Qubes)

    4. DCLXV

      Re: 'Security' software is a scam

      "...so it is still just a simple click from a normal admin user to accept whatever the heck some piece of software is wanting to do. No password or anything, just click OK."

      To be fair, there are valid reasons for this type of access, which I imagine is why it's also a configurable option on any Linux system with sudo.

      As a routine user of both Win 7 and Linux, I actually find myself far more likely to accidentally sudo something I shouldn't have than to mindlessly click away the UAC box that pops up infrequently enough (even set to strict policy) that it really stands out when it does.

  9. This post has been deleted by its author

  10. Anonymous Coward
    Anonymous Coward

    antivirus software

    I always wondered what the CPU cycles and networks traffic was for - it is just to steal all your stuff.

  11. Chewi
    FAIL

    You missed…

    …the part about bundling an old version of Chrome, calling it with --disable-sandbox and having the cheek to call it "Secure Browser". I also found that quite entertaining.

  12. adam payne

    *looks at article and just shakes head*

  13. RIBrsiq

    "[Trend Micro] need to hire a professional security consultant to audit it urgently".

    Ouch! That has to hurt.

    1. dlc.usa

      "Ouch! That has to hurt."

      Indeed, but entirely earned. They clearly need outside help.

  14. drtune

    Wow that's a stunningly long list of epic fails from Trend Micro there - a shower of utter fuckwits.

    Theirs may be the least effective security product since the tinfoil hat.

    1. Roo
      Windows

      "Theirs may be the least effective security product since the tinfoil hat."

      Can't argue with that, but I'd like to point out that a tinfoil hat doesn't really do any harm on it's own, where as AV software adds a ton of new code to critical paths, and adds a whole new set of attack surfaces in addition to mitigating published (ie: known) attack vectors.

      Typically one of the new attack vectors that AVs bring with them is the ability for an arbitrary bunch of folks to upload & run arbitrary code as Admin/root on your machine any time they can...

      1. fajensen
        Black Helicopters

        ... attack vectors that AVs bring with them is the ability for an arbitrary bunch of folks to upload & run arbitrary code ...

        Of course. Anti-virus software is certain to be an important part of the "Global War on Terror (and Everything Else, now we are at it)". That's why "we" need to have it.

        Even if the junk-ware was honestly implemented and only checksummed files exactly as it sez on the tin, a database of those file signatures can be used to track the movement of information, what information is new, which is dynamic and which is static - so "They" can work out who to drone next.

  15. ecofeco Silver badge

    WTF?!!!

    Did Trend Micro hire some ex McAfee folks?

  16. x 7

    Does Graham Cluley still work for Trend? His website is curiously quiet about this little problem.......

  17. eldakka
    Pint

    Nice zinger

    Telling a professional security company that: "they need to hire a professional security consultant to audit it urgently." hahaha.

  18. Justin Goldberg

    Their password manager left a 30GB file on a customers computer because it kept reading chrome input incorrectly. It filled up their drive! TM has gone downhill since their heyday.

    1. Two Lips
      FAIL

      TM never had a heyday.

      They had a huge marketing budget used to bribe semi-literate IT managers

      Ever since I first encountered their kerrap on a work PC I was unimpressed. After having multiple work PCs hosed while TM was installed and up-to-date, I became fully informed about their sub-standard products. Wouldn't touch them with a bargepole even if their products miraculously scored top marks. You cannot change a company culture.

  19. strangmar

    Thanks Travis!

    Travis

    A friend alerted me to your article. I contacted Trend who confirmed it didn't affect my version (we run about 200 seats of the Officescan variant).

    I then looked at some of the to-ing and fro-ing you did in the Vulnerability reporting area. Didn't follow all of it but when I did get, loud and clear, is how fortunate it is that people like you are willing to give your time, skills and dedication to helping the broader community - and dealing via the proper chanel (even if it is frustrating - I could almost feel you holding your breath / counting to 10!).

    Thank you VERY much for all the work you put into this.

    Simon Trangmar

    Adelaide \ Australia

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like