10

Tavis Ormandy of Google has recently discovered a critical TrendMicro design flaw identified in this bug report - TrendMicro node.js HTTP server listening on localhost can execute commands.

The bug report reads to me like a Stephen King novel of horrors of open ports, remote execution, password vault extraction, and self-signed certs. Travis asked for escalation using the comment "...This is trivially exploitable and discoverable in the default install, and obviously wormable - in my opinion, you should be paging people to get this fixed..."

My question is: in light of the extremely poor design of this fielded antivirus product is it not time to reconsider the value of giving such a product system level access considering the risk of such trust being misused as here? At the very least is it not time for independent certification for products like these?

zedman9991
  • 3,377
  • 15
  • 22
  • 2
    Great question! Especially as there have also been vulns in [ePolicy Orchestrator](https://www.exploit-db.com/exploits/33071/) and [FireEye](http://googleprojectzero.blogspot.co.uk/2015/12/fireeye-exploitation-project-zeros.html) – paj28 Jan 11 '16 at 21:30
  • 1
    Interesting question but I think the answers will be chatty and subjective. That's off topic here. – Neil Smithline Jan 11 '16 at 21:53
  • Neil understood, any discussions in your circles of StackExchange hosting a chatty security site for questions more complex than why one need not hide the password salt? I'm serious and appreciate your concern. – zedman9991 Jan 11 '16 at 22:05
  • New software, security software included, also means a new attack surface. Weighing costs and benefits is *primarily opinion-based*, though. – Arminius Jan 11 '16 at 22:12
  • 1
    If you read The AntiVirus Hacker's Handbook, you'll realize that it's not jus TrendMicro, but all AV vendors -- even FOSS projects such as ClamAV. AV agents always increase the attack surface and lower the security posture -- and yes, many still have millions of vulns left to uncover. They make systems more vulnerable and more easily exploitable in nearly all situations. – atdre Jan 12 '16 at 00:53
  • Without system level access they won't be able to provide protections against root kits and other low level hooks in kernel. Your concern is completely valid though. AVs and sandbox solutions today tend to show a lot of complacency in security of their own software. – void_in Jan 12 '16 at 05:40
  • 2
    I can see why the question may be not well suited to the stackexchange format, but thanks for sharing the link, it made for a very interesting read! – Francesco Jan 12 '16 at 06:37
  • 1
    I don't see how we can provide non-opinion based answer to this question. Should a TrendMicro customer worry about this issue? Probably yes. Should such a customer blindly run toward any other concurrent AV provider or uninstall all AV from his machine? Probably not. Should such a customer be cautious and do not trust security products vendors relying only on their marketing capabilities? Certainly yes. – WhiteWinterWolf Jan 12 '16 at 10:07

0 Answers0