Google security researcher Tavis Ormandy has taken AVG developers to task over genuine security risks that could have allowed hackers to infiltrate users web browsers.
We covered the story last week of how Ormandy discovered that AVG’s free Web TuneUp Chrome browser extension was a potential security threat, that might have allowed hackers access to over 9 million users personal data and browsing history to be exposed to the entire internet.
Now, Ormandy has found that AVG were not the only anti-malware developer with security issues.
Ormandy found significant bugs in Trend Micro’s own antivirus product that could allow hackers to run ‘remote code execution,’ by virtually any website and steal all of a user’s passwords.
Details of the security flaws by Trend Micro became public late last week after Ormandy disclosed a copy of the back-and-forth email conversations that took place between him and Trend Micro.
After initially having to deal with what appeared to be a first level tech support representative at the antivirus company, Trend Micro had to up their game quickly when the scale of the security vulnerability became apparent. A clearly frustrated Ormandy suggested that Trend Micro should be paging their staff members to resolve the issue as soon as they could.
The issue with Trend Micro’s code centred around a password manager that users can opt to store their passwords in. Ormandy found that within 30 seconds of accessing the underlying code he found an API extension that allowed him to access the passwords stored within.
While Trend Micro have now fixed the security flaw in their anti-virus, Ormandy criticised the company’s response time, and for failing to move faster to resolve the threat.
“In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code.”
Ormandy also criticised Trend Micro for not fixing a major issue when they claimed they had. His response was scathing:
“This thing is ridiculous, wtf is this…You were just hiding the global objects and invoking a browser shell…[this]… adds insult to injury…I don’t even know what to say – how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant? You need to come up with a plan for fixing this right now. Frankly, it also looks like you’re exposing all the stored passwords to the internet, but let’s worry about that screw up after you get the remote code execution under control.”
Ormandy also advised Trend Micro that in his opinion Trend Micro should “…apologise for the temporary disruption, then hire an external consultancy to audit the code.” Ouch.
AVG and Trend Micro are unfortunately just the latest security companies to have been the architects of their own security flaws. Products from developers such as ESET, AVAST, and Malwarebytes were all discovered to security issues in 2015.
For Trend Micro however, what will most likely hurt them the most, is the embarrassment and irony that the very security their product is supposed to protect against was part of the problem.