GOOGLE'S NO PUNCH PULLING Project Zero security outfit has cast a shame shadow on Trend Micro and forced the firm to issue a patch for a command execution flaw.
Project Zero researcher Tavis Ormandy is the source of the alert, and we have met him before. Ormandy has had a pop at Trend Micro in the past, and is known to the people who deal with security problems at Kaspersky.
"This is ridiculous. There is a remote debugger stub listening by default on a new install of TrendMicro Antivirus," Ormandy wrote on the Chromium bugs blog, adding that the bug is present on Trend Micro Maximum Security, Trend Micro Premium Security, Trend Micro and Password Manager.
Trend Micro replied quickly to the posting, and a character from customer support offered to get back with a response within a couple of days. Ormandy ploughed onwards, offering to look at the build for the firm and help with a solution.
The security firm shot back saying that it expects to release a short-term fix for customers soon. Again, the Project Zero man went forth, asking just what kind of mitigation and just how short-term it might be that the firm was talking about.
Ormandy was unimpressed by Trend Micro's repair work, and raised some concerns. We asked Trend Micro to give us the official line, and the firm delivered.
"Trend Micro is aware of a disclosure by Tavis Ormandy, a well-known and respected researcher with Google's Project Zero team, regarding vulnerabilities discovered in Trend Micro Password Manager, a consumer-focused product," said Christopher Budd, global threat communications manager at Trend Micro.
"This issue was found to only affect Trend Micro Password Manager, which is bundled with Trend Micro Titanium Premium Security and Trend Micro Titanium Maximum Security consumer-focused products. Password Manager is not included with any SMB or enterprise products.
"As part of our standard product vulnerability response process, a mandatory patch addressing the most critical issues was validated by the researcher and automatically pushed to affected Trend Micro Password Manager consumers via Trend Micro's ActiveUpdate servers.
"Most, if not all, users of the product should have the update in place at this time. It is important to note that there is no evidence that the proof-of-concept exploits reported to us were ever used publicly.
"Trend Micro takes all reports of vulnerabilities very seriously, and is committed to addressing any legitimate issues as quickly as possible after they are reported to us."
And breathe. µ
To hear more about security challenges, the threats they pose and how to combat them, sign up for The INQUIRER sister site Computing's Enterprise Security and Risk Management conference, taking place on 24 November.
POKE no more. Oh wait, that was 30 years ago
Soon people may also be assessed by their flaws
More chat, less cloud
But firm falls short of promising a fix