SECURITY FIRM Trend Micro has thanked Google security researchers for bringing an issue with its kit to its attention and promised that it is tackling the thing.
Trend Micro was accused of serving its customers a treat in the form of a virus threat because of some poor housekeeping. Trend Micro and its customers' problems were discussed in the news and on a Google Code thread.
Tavis Ormandy, a researcher at Google's Project Zero bug hunter group, was unimpressed with the results of his own discovery and leaped on Trend Micro and its issue with some enthusiasm.
According to Ormandy, Trend Micro installed a wide-open Node.js server by default on its customers' computers, and apparently made some efforts to hide this.
"When you install Trend Micro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup," said Ormandy on the Google Security Research forum.
That's not cool. Ormandy called it "the most ridiculous thing I've ever seen", and took this and a range of other gripes to Trend Micro, repeating his messages on the forum for all to see.
"I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" he wailed.
"You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."
We asked Trend Micro for its take on a discussion on the Google security pages yesterday and it got back to us late in the evening. It thanked the Google people for their work and said that it too has done some work to fix what might have been a possible problem.
"Tavis Ormandy, a well-known and well-respected security researcher, contacted us to report these issues to our Trend Micro Product Vulnerability Response process. Trend Micro has had a mature vulnerability response for a number of years and we handled these reports within that process," said Christopher Budd, global threat communications manager at Trend Micro.
"We responded quickly to the initial report and worked with Tavis throughout the process to understand the issue and address them. Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week.
"We are not aware of any active attacks against these vulnerabilities in that time." µ
Stop laughing at the back Iain iPhone
AI want to break free
Not making friends, but influencing people
But eager game streaming beavers will have to wait until 2020