Opendns updater and avast 2016 update#
Ormandy said the update resolves the issue but that he remained concerned that the password manager continues to expose more than 70 potentially dangerous programming interfaces to the open Internet.
In the past few days, TrendMicro began testing an emergency fix it planned to push out to end users. Ormandy said it took him only about 30 seconds to find one of many code-execution holes in the antivirus program. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up.
In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. I really hope the gravity of this is clear to you, because I'm astonished about this.
Opendns updater and avast 2016 code#
So this means, anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control." AdvertisementĮlsewhere in the exchange, Ormandy criticized company developers for failing to move faster to contain the threat and renewed his call for them to seek help from outside security professionals. "You need to come up with a plan for fixing this right now. "I don't even know what to say-how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" Ormandy wrote in an exchange with a TrendMicro official. Those who did use it were also susceptible to hacks that allowed attackers to view hashed passwords and the plaintext Internet domains they belonged to. While the code execution vulnerabilities were contained in the password manager included with the antivirus package, they could be maliciously exploited even if end users never make use of the password feature.
The release came after a Google security researcher publicly castigated a TrendMicro official for the threat.ĭetails of the flaws became public last week after Tavis Ormandy, a researcher with Google's Project Zero vulnerability research team, published a scathing critique disclosing the shortcomings. Antivirus provider TrendMicro has released an emergency product update that fixes critical defects that allow attackers to execute malicious code and to view contents of a password manager built in to the malware protection program.