Esteemed bug hunter and security expert Tavis Ormandy showed that the only thing worse than having your trust betrayed is having you trust betrayed by the Trend Micro virus scanner.
Late last year, Ormandy unveiled an important security breach in AVG's Chrome security add-on. Now, he focused his attention on the Trend Micro anti-virus, and what he found was not pretty.
Trend Micro's installation automatically brings along a piece of software called a Password Manager (PM), allowing malicious users to launch programs and execute commands on remote PCs.
What's even more disheartening is that the PM gives hackers access to all of the saved passwords on your machine, and it does so stealthily. In case you were wondering, Password Manager is compatible with PCs, Macs, Android and iOS.
Ormandy's security company tested the vulnerability of Trend Micro on an old API - specifically an older variant of Chromium. The security experts used version 41 of the software, although Trend Micro is already at version 49.
By utilizing the exploit he found in the "antiquated" variant of the anti-virus, Google's security engineer managed to remotely start Windows Calculator, a local program. This shows how unreliable some pieces of software can be, even when they are built with your safety in mind.
"I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" Ormandy notes.
The unveiling of the vulnerability points out that safety breeches are almost always present in the software that should prevent them. The camouflage capability of the malicious coding can hurt many PC users without them even knowing that they are under attack.
Trend Micro did the right PR move and apologized to its users, acknowledging that it put their safety at risk. The company further noted that it cooperated closely with Tavis to fix the bug.
"Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week," Trend Micro's blog reads.
It's not the first time such issues come to light, however. A while ago, Kaspersky sent out a warning to all users about the myriad of anti-virus programs available. The company underlined that among the honest and legitimate programs, there are a lot of fakes pretending to be under a bigger brand.
Researchers called out big names in the security industry for severe safety flaws in their antivirus products. Malwarebytes, Kaspersky Lab, AVG Technologies, Avast and ESET are only some of the enterprises that had to admit mistakes in coding.
It seems that attackers who exploit anti-virus programs take a liking on the remote execution of malevolent code, thus allowing them to hijack the antivirus product. This further allowed hackers to get high-access privilege to confidential files and information.
As antivirus software is a man-made product, so it is reasonable to expect some degree of coding error. It is also easy to understand that although the public does not expect the security applications to be entirely bug-free, it demands them to have fewer flaws than the rest of programs running on their computers.