Steve Chang, co-founder of Trend Micro. Photographer: Maurice Tsai/Bloomberg, Steve Chang
Trend Micro is one of the biggest names in cybersecurity, an $120 billion industry that promises to deflect a significant chunk of attacks hitting customers. But Trend and many of its peers are themselves creating software vulnerable to hacks, as proven by two researchers who’ve found and reported more than 200 flaws across the South Korean company’s suite of products since July 29 last year.
Security researchers Roberto Liverani and Steven Seeley reported the first bug to Trend on July 29 2016 and have continued to find a mix of vulnerabilities, from the mundane to the shocking. In total they’ve uncovered 223 weaknesses across 11 TrendMicro products. A whopping 194 can be exploited remotely, and all are triggered without user interaction, making them significantly more serious.
One of the more serious issues lay in Trend Micro’s data loss prevention tool. The pro hackers discovered that, via a memory corruption vulnerability, they could take control of the server running the software. They could then send out malicious updates to every single PC or other client connected to the server.
“It’s a full compromise of the complete network once you own the node. It’s pretty nasty, to say the least,” added Seeley.
The attack would require an initial breach of the network. But they found another issue in InterScan, another Trend product that acts as the outfacing system that protects the network. “This can be targeted with an unauthenticated remote code exploit. Once you’re within the network from this point, you can pivot onto the DLP box.”
As for the basic weaknesses, one was an unauthenticated stored cross-site scripting (XSS) flaw, where it’s possible to trick a customer to click on a link to the affected webpage and then hand over login tokens for the affected technology. It’s “the worst type” of XSS, one of the most common vulnerabilities on the web. “It’s just a matter of time [until] an admin will visit that particular admin page and fire our potentially malicious payload,” said Seeley.
Whilst Trend was quick to respond to the researchers’ seemingly never-ending disclosures, many issues were “quite trivial” to find, leaving Seeley wondering why the company’s own audits hand’t picked up on many of them. And in one situation, even where they did issue a fix, they didn’t patch adequately, he added. “Their patch completely failed and it was quite bad. I could have easily bypassed it.”
Trend was keen to note that the vulnerabilities found by Liverani and Seeley were not in its well-known and widely-used endpoint or Deep Security products. Jon Clay, global director of threat communications, said the company “takes every vulnerability found within our products seriously regardless of whether it is multiple submissions or a single submission.”
“We know there is a growing interest and level of activity in vulnerability research, and we are dedicated to rapidly addressing any issues that are uncovered by the research community.”
Liverani and Seeley plan to showcase their exploits at the Hack In The Box conference in Amsterdam this April, by which time they may have found many more weaknesses.
A vulnerable security industry
Professor Alan Woodward, a digital security expert from the U.K.’s University of Surrey, said Trend was not alone; many in the industry likely have products with similar issues. “It’s obviously a concern when security products have this number of vulnerabilities. I can imagine Trend are going to be embarrassed but sadly I’m not sure one can single out Trend as being particularly poor at their testing,” Woodward said.
“I think what it demonstrates is just how complex these system have become and as we all know complexity is the enemy of security.”
In recent months, Google’s Tavis Ormandy has been hunting bugs in anti-virus product, in the belief that sometimes security tools make companies more vulnerable, not less. His recent scalps have included Kaspersky and Symantec.
Got a tip? Email at TFox-Brewster@forbes.com or firstname.lastname@example.org for PGP mail. Get me on Signal on +447837496820 or email@example.com on Jabber for encrypted chat.