You install antivirus software because you expect it to protect your computer.
As one Google researcher discovered, antivirus software doesn’t always work that way. A Google researcher named Tavis Ormandy found a horrific security hole in Trend Micro’s antivirus software.
That hole consists of a set of bugs involving Trend Micro’s password manager. This password manager is reportedly extremely insecure: so an attacker with the right knowledge of these flaws could basically steal all the passwords you keep in that password manager – which is the absolute last thing you want a password manager to do.
Worse, they can attack your computer even if you don’t use the password manager. And they can do all of this through an ordinary browser.
Trend Micro Launches on Startup
Trend Micro’s antivirus flaw occurs at startup. The software automatically launches on startup and has a feature that allows for arbitrary code execution within the password manager.
That password manager is reportedly so flawed that it allows for malicious code execution even if users never use the service.
Meanwhile, users who store their passwords within the system could see their passwords exposed to the internet.
The good news is that the passwords are hashed. So even if they’re exposed, it’s not quite as bad as it could be.
The websites to which those passwords belong, however, are stored as plaintext internet domains.
In an example of this flaw, Ormandy demonstrates how he was able to execute Calc.exe remotely from within the browser.
In an angry email to Trend Micro, Ormandy said the following:
“So this means, anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I’m astonished about this.”
Whew! Go get him, Tavis.
Google Previously Attacked AVG Over Security Holes
Google is going on a bit of a rampage against the antivirus industry as of late.
2 weeks ago, Google attacked AVG Antivirus for breaking Chrome’s security.
Yes, the AVG bug report was filed by the same guy who identified the latest Trend Micro antivirus flaw.
In any case, the AVG Web TuneUp fundamentally broke Chrome’s web security platform. This disabled Chrome’s built-in web security for 9 million users.
That’s not the first time AVG had come under fire. Over the last few years, consumers had attacked AVG for installing its AVG SafeSearch toolbar without permission, and then sold data collected through that toolbar to advertisers.