//should probably remove this for prod
Whoops.
Well done Tavis
PCs running Trend Micro's Windows antivirus can be hijacked, infected with malware, or wiped clean by any website, thanks to a vulnerability in the security software. The design blunders in the consumer build of Trend's AV were discovered by Google Project Zero bod Tavis Ormandy. A patch is now available to address the remote- …
I can forgive a quick and temporary fix, but I cannot forgive a poor response and lack of reassurance that the bigger problem as a whole will be looked into and fixed. As has been said, this should not even have been a problem to begin with. This is not just a programming error. This is poor design right from the beginning. Poor design which should have been corrected a very long time before RTM.
My friend recently talked about evaluating Trend Micro for their business.
Not anymore!
That sentence suggests one of:
(1) Trend Micro really doesn't understand that being able to remotely launch executables from a privileged Windows service isn't a "possible" vulnerability, it's just about the biggest steaming PoS vulnerability possible.
(2) Their engineers do understand this, but the PR & Marketing lads & lasses are so disconnected from engineering that they get to make up any old crap without review.
(3) or maybe they just focus on scaring grannies with buzzwords and blandishments until they buy a copy and don't care whether it passes a engineer's smell test
It sure doesn't inspire me to try their products...
"... the enemy of my enemy is my friend..."
No.
The enemy of my enemy is my enemy's enemy. No more. No less.
Source: The Seventy Maxims of Maximally Effective Mercenaries (#29)
So, they're all our enemy :(
No Kaspersky... I've had the worst time with them the last couple of years. I honestly don't know how they are always rated high in AV tests. It blocked everything and made some machines hang, and of course uninstalling was terrible. ( I guess you can argue that about any of the others? yea our enemies )
Seriously, why are people still living with this junk. Well, MS in their wisdom let everyone run as admin and let them get used to it, and when Vista came out and they tried to fix it, everyone complained so they relaxed it for 7 and so on and so it is still just a simple click from a normal admin user to accept whatever the heck some piece of software is wanting to do. No password or anything, just click OK. If you ever look at the installers for Windows packages (and don't just accept the defaults) once you give it permission it will often want to install all sorts of other nasties and many are really sneaky about it too making it quite unclear to the typical user just what they're clicking OK to. Security in Windows is still very borked. So, with that in mind, we have 'security' software that tries to clean up the mess after the fact when the mess should never have happened in the first place if Windows had some decent security settings in the first place and a proper packaging system but that would be too hard for the delicate users who might actually have to think about what they're clicking on. Funny how the 'stupid' 'noob' 'more money than sense' Mac users manage to cope with settings which require administrator passwords when installing software, and signed packages from known vendors because a Mac comes out of the box with reasonable security. Yes yes, trojans etc and you can turn this stuff off if you want to but really, there's still a culture issue on Windows which can't be fixed by security software because trusting any tool that has the ability to make significant changes to your environment automatically is beyond foolish.
5,4,3,2,1....hate hate hate panic mode down votes incoming......
I'm sure OSX will let you install Trend (or anything else), prompt you for admin privs and will deploy itself in a beautifully organized fashion.
If the thing you've just given admin privs to then happily allows itself to execute anything it finds on the web as admin - well you're just as equally f'd.
Non-admins can install software on a Mac and that software will only get the rights of the user who installed it. This is due to how the packages are bundled because everything the application needs is in the app bundle and can be removed as easily as deleting that bundle once installed. Compared to the setup.exe and remove programs way on Windows, the Mac is light years ahead. Enforce signed packages and you're unlikely to get all that additional crap that the installers for Windows packages love to bundle by default. There are some packages (MacKeeper for instance) which I would define as malware and which are horrendously difficult by design to remove because it insists on having admin rights to install and then uses those rights to spread itself around the system like a hydra and when you try and remove it, it reinstalls the parts you removed. Getting that off my father-in-law's machine required booting the Mac into single user mode and then going through all the directories that it was spread through and removing them but it isn't common to have something as nasty as this and as I said, normal users are able to install packages without admin rights and use them just fine (each user has their own Applications folder) and those packages can't go making changes to the system. Unfortunately, implementing anything like this on Windows would result in the breaking of many older packages and MS lives and dies by backwards compatibility. My solution is to run Windows in a VM (snapshotted so I can roll back in case it screws up) and I can do whatever I need to and then close it back down. I don't run security software on it outside the basic MS supplied stuff because I don't use it much and I don't install much. Windows is the new classic environment, simply there for compatibility but never used for serious stuff.
Any OS in need of third party 'Security' software is a scam, since it are crutches supporting bad design choices. People who have a professional attitude towards IT should perhaps rethink, and trash all this costly Redmond crap requiring monthly WSUS updates, reboots and daily virus scanner updates.
((and let the down voting begin :) ))
"So, in short, any OS out there is a scam?"
Don't think anyone's quite claiming that, but there's plenty of evidence to suggest that the widely known one(s) in widespread use leave a great deal to be desired from a security point of view. There's little public evidence either way in respect of the OSes that aren't in widespread use (e.g. ones from DEC, IBM, and more recent stuff such as Qubes)
"...so it is still just a simple click from a normal admin user to accept whatever the heck some piece of software is wanting to do. No password or anything, just click OK."
To be fair, there are valid reasons for this type of access, which I imagine is why it's also a configurable option on any Linux system with sudo.
As a routine user of both Win 7 and Linux, I actually find myself far more likely to accidentally sudo something I shouldn't have than to mindlessly click away the UAC box that pops up infrequently enough (even set to strict policy) that it really stands out when it does.
This post has been deleted by its author
"Theirs may be the least effective security product since the tinfoil hat."
Can't argue with that, but I'd like to point out that a tinfoil hat doesn't really do any harm on it's own, where as AV software adds a ton of new code to critical paths, and adds a whole new set of attack surfaces in addition to mitigating published (ie: known) attack vectors.
Typically one of the new attack vectors that AVs bring with them is the ability for an arbitrary bunch of folks to upload & run arbitrary code as Admin/root on your machine any time they can...
... attack vectors that AVs bring with them is the ability for an arbitrary bunch of folks to upload & run arbitrary code ...
Of course. Anti-virus software is certain to be an important part of the "Global War on Terror (and Everything Else, now we are at it)". That's why "we" need to have it.
Even if the junk-ware was honestly implemented and only checksummed files exactly as it sez on the tin, a database of those file signatures can be used to track the movement of information, what information is new, which is dynamic and which is static - so "They" can work out who to drone next.
They had a huge marketing budget used to bribe semi-literate IT managers
Ever since I first encountered their kerrap on a work PC I was unimpressed. After having multiple work PCs hosed while TM was installed and up-to-date, I became fully informed about their sub-standard products. Wouldn't touch them with a bargepole even if their products miraculously scored top marks. You cannot change a company culture.
Travis
A friend alerted me to your article. I contacted Trend who confirmed it didn't affect my version (we run about 200 seats of the Officescan variant).
I then looked at some of the to-ing and fro-ing you did in the Vulnerability reporting area. Didn't follow all of it but when I did get, loud and clear, is how fortunate it is that people like you are willing to give your time, skills and dedication to helping the broader community - and dealing via the proper chanel (even if it is frustrating - I could almost feel you holding your breath / counting to 10!).
Thank you VERY much for all the work you put into this.
Simon Trangmar
Adelaide \ Australia