
TrendMicro Node.js HTTP server listening on localhost can execute commands - tptacek
https://code.google.com/p/google-security-research/issues/detail?id=693
======
nvader
Props to Tavis for maintaining his composure in the face of this incompetence.
Despite his mounting frustration, you can see he keeps repeating his request,
"Turn it off, apologise for the disruption, and then get it audited before
turning it on."

Even when they perform their half-solution, he still evaluates it on its
merits, and then suggests how they can do better. A model of professionalism
in the face of an absurd situation.

------
improv32
What an absolute clusterfuck. I work at a multinational company who's IT
department (over my objection) installs Trend Micro on all user end points.
I'll be sending this the department head's way, Trend might lose some business
over this

~~~
cenal
This is clearly a terrible design flaw by Trend Micro. I hope some responsible
are looking for new jobs.

Still, there isn't much faith I put in any endpoint security solutions. They
are all terrible.

Bromium seems to be bucking the trend of traditional endpoint security but
they have one of the worst sales / business dev programs I have ever seen.
They should be much more ubiquitous than they are.

~~~
porpoisemonkey
"I hope some responsible are looking for new jobs."

If they look for (and find) new jobs wouldn't that just mean the problem is
diffused? Personally I would hope they learn from the experience of failing
than to get punished for it.

~~~
cmurf
Personally, I hope everyone else (not at Trend Micro) learns from this
experience. Computer security auditing is a serious expertise, it's hard but
made much harder to impossible when you don't have experts on the team and
instead consider security expertise as a hobby for the qualifier.

trendmicro.com > About > "Smart, simple, security that fits"

And then second is, "a global leader in IT security" and "25 years of security
expertise".

What a crock. I'm supposed to take the company's position statements and
products seriously after reading this issue report? This is like finding a
sponge in the body cavity of a patient. It's functionally malpractice. The CIO
and CTO should be fired. The CEO probably should resign, what else is the
purpose of a CEO other than to make sure the main things the company stands
for are true, and actually ships products that demonstrate it stands for those
things? If they don't resign the board needs to fire them.

~~~
cmurf
I'd like to point out that it'd be an even bigger and redder red flag (if
that's possible), should Trend Micro fire some team "security" developer, or
even the product manager.

How is it possible, that a company which describes itself in the terms it has
[1], have not done a thorough code review of all products before making them
public? That is implicit in their own description of what their business does.

I'm not even sure the worst parts of this particular product's flaws would
have escaped cursory code review by someone who is actually a security expert.
And if that's true, then selling this product as it was before patching, might
be fraud.

[1] [http://www.trendmicro.com/cloud-
content/us/pdfs/about/ds_cor...](http://www.trendmicro.com/cloud-
content/us/pdfs/about/ds_corp-facts-stnd-size.pdf)

------
Chris911
From the email thread:

> I happened to notice that the /api/showSB endpoint will spawn an ancient
> build of Chromium (version 41) with --disable-sandbox. To add insult to
> injury, they append "(Secure Browser)" to the UserAgent.

> I sent a mail saying "That is the most ridiculous thing I've ever seen".

This is indeed unbelievably ridiculous.

~~~
cenal
More ridiculous than that time Microsoft shipped an operating system with no
firewall enabled by default and a feature designed to allow for remote
commands to be executed?

I think the Blaster Worm and other variants that took advantage of that
excellent decision were far worse.

[https://en.wikipedia.org/wiki/Blaster_(computer_worm)](https://en.wikipedia.org/wiki/Blaster_\(computer_worm\))

[https://books.google.com/books?id=_TgEAAAAMBAJ&pg=PA60&lpg=P...](https://books.google.com/books?id=_TgEAAAAMBAJ&pg=PA60&lpg=PA60&dq=steve+gibson+windows+xp+firewall&source=bl&ots=-INXwLArT3&sig=rAt1aZ9PrKdl4ZeJhrfi1KqVMEU&hl=en&sa=X&ved=0ahUKEwiKvNrr06LKAhWBSCYKHS6sBmEQ6AEIPzAF#v=onepage&q=steve%20gibson%20windows%20xp%20firewall&f=false)

~~~
tptacek
You can make a lot of things sounds comically insecure, very much including
virtually all open source software, if you use 2003 as the benchmark.

~~~
rsync
Not really.

A FreeBSD 4.x system with a (modestly) stripped down kernel and running sshd
was not only rock solid in 2003, but would probably be rock solid today.

Just to pick one random example.

~~~
hueving
Doesn't sound like a random example to me. It sounds like one of the most
secure examples you could think of.

------
kakwa_
Having studied their Linux Antivirus (TrendMicro ServerProtect), it's far from
a clean, safe and well maintained piece of software:

* It comes with its own http server (apache, with a conf file mentioning NCSA (!))

* Their realtime kernel module barely compiles (on quite old kernel versions), has a disgusting code and Makefile and makes the computer slow or simply crashes when it kind of works.

* They ship their Antivirus with quite old libraries, some compiled more than 10 years ago, and some probably impacted by several CVEs (openssl < 1.0.0, quite old libxml).

* Their init scripts are an ugly thing written in perl lauching several services in one script.

* Their rpm packages are just mindfucking. You have one rpm package to install the software, and other rpm packages to patch it... WTF.

From a piece of software, running as root (or even worst, in kernel space),
written in C and analyzing untrusted inputs by definition, it's a bit worrying
to say the least.

~~~
spb
Why is a conf file mentioning NCSA so surprising? Mosaic has a lineage that
can be traced to modern browsers like Edge, so it'd make sense to have conf
items geared toward the NCSA family of browsers.

~~~
McGlockenshire
That'll be talking about NCSA HTTPd, the ancestor of Apache. Apache forked in
1995.

[https://en.wikipedia.org/wiki/NCSA_HTTPd](https://en.wikipedia.org/wiki/NCSA_HTTPd)

Any Apache configuration file mentioning NCSA would be from the Apache 1.x
lineage.

------
pilif
With regards to TrendMicro I still remember having to deal with an end user
who had this installed and had the "internet security" feature enabled.

It intercepted the not-quite standard response header "Content-Encoding: ps-
bzip2" to our windows client application, stripped off the header it didn't
understand but, of course, didn't decompress the payload.

So our application has not seen a Content-Encoding header and thus tried to
run with the presumed-non-compressed response - that went really well.

Since that day, our server uses a content-type header that contains the word
bzip2 :(

The icing on the cake: The customer in question told me that their cousin is
working at TrendMicro and that they are by far the best virus scanner out
there and that this must clearly have been my fault.

I'm not surprised that they also get other stuff wrong.

However, I'm surprised at the level of incompetence shown here. This is a
_security_ product after all.

~~~
taspeotis
> It intercepted the not-quite standard response header "Content-Encoding: ps-
> bzip2" to our windows client application, stripped off the header it didn't
> understand but, of course, didn't decompress the payload.

I think this is actually a feature in many different products from different
vendors. If I recall correctly, ISA Server (since 2004!) and the like inspect
HTTP and SMTP traffic and validate it for conformance to published standards.
If a malformed SMTP message comes in, it discards it. This prevents your mail
server from being exposed to malformed messages, which could lead to denial-
of-service/remote-code-execution/maybe it will be fine who knows.

~~~
pilif
The content encoding header is meant to be extensible. This is where chrome
added sdch and now we're about to get brotli compression in Firefox and
chrome. If that release of trendmicro was still in use, people wouldn't be
able to visit Google with chrome nor any upcoming site with brotli support.

Also, if they didn't like my ps-bzip2 encoding, they could have also stripped
it off the clients accept-encoding header, causing the server to not compress
the response. But they left it there and just stripped off the content-
encoding response header.

~~~
Laforet
Headers are meant to be flexible in theory, but in reality it seems that
anything outside the most common few are going to break things.

The series of blog posts linked below might interest you.

[http://noxxi.de/research/http-evader-
explained-2-deflate.htm...](http://noxxi.de/research/http-evader-
explained-2-deflate.html)

------
danr4
What a shamble.

This thing with so called security products should be regulated somehow. These
sort of exploits should carry a huge fine from the FTC or something of the
sort as this, and many other "security" products (I'm looking at you AVG) is
blatant deception, if not the exact opposite.

~~~
VikingCoder
We should all demand 3rd-party audits of our security products.

~~~
smt88
I've been saying for years that unregulated information security will lead to
an Enron-level disaster and eventually result in legislation similar to
Sarbanes-Oxley. It's a shame it will take a huge disaster for this to happen.

~~~
jarcane
The huge disasters have been happening, repeatedly, for years.

There are botnets in the millions running on supposedly "Norton-protected"
PCs.

No one cares. It's not a problem the people in a position to do anything about
even understand.

------
tptacek
This is so bad that Tavis Ormandy was "astonished" by it. That has to be
saying something.

~~~
x0x0
The title on HN understates the case at this point. It's not just remote code
execution (more than bad enough, by itself). If you are foolish enough to
trust Trend Micro, they install a password store, whence:

    
    
       Then you can use the decryptString API to decrypt all the strings, and then 
       POST them somewhere else.
        
       So this means, anyone on the internet can steal all of your passwords 
       completely silently, as well as execute arbitrary code with zero user 
       interaction. I really hope the gravity of this is clear to you, because I'm 
       astonished about this.
    
    

You can convince their shit product to _POST ALL YOUR PASSWORDS_ to an
arbitrary server.

~~~
velox_io
This really is a horrific security flew. Hard to believe that software made
specifically to protect users and their computers, opens up the floodgates and
serves their passwords on a plate.

I wonder has much damage such a flaw has caused?

~~~
zAy0LfpBZLC8mAC
Where did you get the idea that this software is "made specifically to protect
users and their computers"?

~~~
simoncion
> Where did you get the idea that this software is "made specifically to
> protect users and their computers"?

Read the marketing copy for it.

[http://www.trendmicro.com/us/home/products/software/password...](http://www.trendmicro.com/us/home/products/software/password-
manager/)

Note also

* that TM charges _$15 /year_ for any non-toy use of the software (that is, if you want to store more than four passwords)

* the language that describes the "Secure Browser" feature, which is really an ancient version of Chrome/Chromium that has sandboxing turned off.

------
zymhan
I'm finding it harder and harder to understand why I should ever install
software that hooks into my OS on multiple levels and opens holes to the
outside world without any notification in the name of "security"

~~~
SignMeTheHELLUp
You shouldn't. Antivirus is a relic of the early 2000's.

~~~
sarciszewski
Let me back this comment up with some reading material and useful resources:

[http://decentsecurity.com/about/](http://decentsecurity.com/about/) (This
entire website)

[https://www.microsoft.com/emet](https://www.microsoft.com/emet) (for Windows)

[https://paragonie.com/blog/2015/06/guide-securing-your-
busin...](https://paragonie.com/blog/2015/06/guide-securing-your-business-s-
online-presence-for-non-experts) (basic web security advice for non-technical
people)

You don't need AntiVirus.

~~~
ucho
I it is not that we don't need it but it is finally obvious that there is no
reliable way to detect harmful software. All we are left with is putting each
and every application in sandbox, unable to interact with any other software
or user data. It is just very hard to make that user friendly and acceptable
for average Joe.

------
blfr
How did no one within the company catch it? Aren't security products developed
by at least somewhat security-minded people? Is it all just a sham?

~~~
tptacek
No, security products are not typically developed by people who understand
secure programming, even at companies that employ teams of people to do
vulnerability research. The people who build security software are the same as
the ones who build everything else.

~~~
sarciszewski
Companies that produce "security products" don't give a damn about secure
development. They do give a damn about infographics and sales presentations
citing "sexy-sounding" research projects.

~~~
ProAm
> They do give a damn about infographics and sales presentations citing "sexy-
> sounding" research projects

Sort of like the startup community?

~~~
sarciszewski
Not too different. Most antivirus is based on a flawed premise, and most
hackers know this.

[http://www.sevagas.com/IMG/pdf/BypassAVDynamics.pdf](http://www.sevagas.com/IMG/pdf/BypassAVDynamics.pdf)

------
SignMeTheHELLUp
Just another reminder that antivirus is dead. Any antivirus can be trivially
circumvented. Based on the level of incompetence of multiple antivirus
developers over the past few years, and my own experience with antivirus
slowing down and heating up my machine, antiviruses themselves are more
trojans than anything.

~~~
jrcii
GPO with AppLocker (app whitelisting) seems to be a good solution for Windows,
kind of a pain to setup though.

~~~
JoshTriplett
While that seems like a somewhat sensible approach for non-technical end users
(modulo various kinds of runnable scripts), a whitelisting approach can't
possibly work in an organization doing software development.

I can't think of any technological approach that _would_ work in such an
organization, short of completely redesigning end-user client systems.

------
jrcii
I'm kind of surprised that their reaction is to expect Tavis to continue to
volunteer his time to audit the security of their product.

~~~
kzhahou
They're asking him to help verify the fix since he's in the best position to
do so, having caught the bug. I think this is better than them saying "thanks,
we'll take it from here, bye"

------
Sephr
> They are already in discussion with stakeholders regarding the emergency
> deployment of this fix.

You know a company is managed ineffectively when you can't even deploy
security patches without talking to stakeholders. In any reasonably-managed
company, stakeholders would only be involved with the press release announcing
the issue (if at all).

~~~
sarciszewski
This is true. The only time I ever had to talk to my CEO about a security
patch was, "Sorry, this bug is kind of urgent and the fix needs to be deployed
before tonight. Bring be back some orange chicken?"

~~~
daenney
Stakeholders != CEO. It can be, but it's hardly the only option.

~~~
sarciszewski
We don't have puppeteers, so, it's the only approximation I could muster from
my experience.

~~~
fenomas
I don't understand this thread at all.

Where I live, "stakeholders" just means the people responsible for or affected
by something. Being "in discussion with stakeholders" about a fix just means
talking to everyone involved in getting it deployed.

Is this term used with other meanings?

~~~
sarciszewski
I misread it as "shareholders" to be honest.

------
paulojreis
This is so blatantly incompetent that I can only imagine the situation being a
result of corporate _dance_.

While there are many oblivious developers, I highly doubt that incompetence
was the root cause. I'd point to a lovely mix of a) deadlines; b) slow
internal procedures to approve the usage of third-party libraries; and c)
requirements being passed to developers without context. It's hell, what
corporate environments can push us to do. I'd bet that most of the people who
worked in big corps have their own stories about internal procedures making
them do things they objectively knew were wrong.

------
antrion
Well this is scary. How am I to trust a password manager if something as
obvious as this is allowed to be shipped to the end user?

~~~
Someone1234
Most password managers are heavily audited. Likely why the Trent Macro one
wasn't is because nobody with any technical sense is installing their nonsense
to begin with.

But LastPass, Keypass, Chrome's password manager, Firefox's manager, and IE
are audited all the time, with tons of exposé articles supposedly trying to
inform us about how weak they are (but all these articles do is further
clarity how strong they are, since they only find trivial issues, or they
misunderstand a feature as a bug).

I cannot recall the last time any of these had what I would consider a REAL
security bug.

~~~
thelucky41
Chrome and firefox both store saved passwords in plain-text in easily
accessible local databases. Don't rely on them to keep passwords safe. I have
no experience with IE's password locker.

~~~
Someone1234
> Chrome and firefox both store saved passwords in plain-text in easily
> accessible local databases.

All password managers store plain text passwords. That's literally a
requirement for them to work at all.

Chrome encrypts the password in the SQLite database[0] using Windows'
CryptProtectData() API, and Firefox encrypts the passwords either using your
master password, or if none is set then it encrypts but stores the encryption
key in the key3.db.

> Don't rely on them to keep passwords safe.

You've presented no justification for that. If you're using a root compromised
machine then no password manager is safe. If your machine is secure then your
passwords are secure in both Chrome and Firefox, but more secure in Chrome.

[0] [http://www.howtogeek.com/70146/how-secure-are-your-saved-
chr...](http://www.howtogeek.com/70146/how-secure-are-your-saved-chrome-
browser-passwords/)

~~~
tptacek
_All password managers store plain text passwords. That 's literally a
requirement for them to work at all._

I'm not sure this is what you mean to say, because, obviously, good password
managers don't store passwords in cleartext.

~~~
Someone1234
You cannot hash passwords in a password manager. It has to be reversibly
encrypted and turned back into plain text before utilisation.

So when people complain about password managers storing plain text (as opposed
to hashing) they're barking up the wrong tree, it is a necessary evil.

You just want to see them encrypt those plain text passwords so that offline
recovery is harder. That's what both Firefox's master password,
CryptProtectData() for Chrome/IE, and the key-chain in OS X provide.

~~~
tptacek
I think you're trying to say something akin to but not quite "plaintext
equivalent", and your terminology is mangling your argument.

------
nickysielicki
> To be clear, you can get arbitrary code execution whether they're using it
> or not, but stealing all the passwords from a password manager remotely
> doesn't happen very often, so I wanted to document that.

Best part.

------
johngd
This recent one in regards to an AVG Chrome extension is slightly "less-worse"
than this TrendMicro issue: [https://code.google.com/p/google-security-
research/issues/de...](https://code.google.com/p/google-security-
research/issues/detail?id=675&can=1&sort=-id)

------
je42
[http://www.trendmicro.com/us/about-
us/index.html](http://www.trendmicro.com/us/about-us/index.html) Smart,
simple, security that fits

As a global leader in IT security, Trend Micro develops innovative security
solutions that make the world safe for businesses and consumers to exchange
digital information. With over 25 years of security expertise, we’re
recognized as the market leader in server security, cloud security, and small
business content security. Trend Micro Inc. is a global security software
company ....

------
nailer
> TrendMicro helpfully adds a self-signed https certificate for localhost to
> the trust store, so you don't need to click through any security errors.

Anyone know if this uses a non-unique key pair like the Lenovo one did?

~~~
comex
I don't think it really matters, as long as it's only a certificate for
localhost rather than a root CA as in the Lenovo case. I can't think of an
attack scenario where an attacker already able to run an HTTP server on
localhost would be aided by being able to use HTTPS on that server. Of course,
I could be missing something.

------
taylorwc
I can't even begin to describe my loathing for antivirus products. I haven't
used one personally in years, but there is a real quandary for a few of my
colleagues--they are not very technically inclined. This ranges in consequence
from needing help with simple tasks to having absolutely zero instinct/ability
to recognize phishing or questionable emails and links. I usually end up
putting _something_ on their machines to help but often feel like it's a lost
cause.

~~~
WorldMaker
I'm presuming Windows because "not very technically inclined" but at this
point when I help such people it's mostly a matter of A) verifying UAC is
active and at or higher than the default [1], B) verifying Windows Defender
and Smart Screen are active and up to date (Windows Update).

In every case I've seen of Windows Defender or Smart Screen being disabled or
out of date it almost always seems to be the fault of a "security product" the
user was talked into buying (especially the Norton Insecurity Suite). Defender
and Smart Screen together silently but capably do their job at handling the
main issues for a not very technically inclined person's systems and I find
the harder issue is convincing them not to install games from disreputable
sources (random poker websites, the weird shadows of once sort of reputable
places like RealArcade and WildTangent) that install irritating adware and
occasionally spyware, short of "taking away the UAC keys" and forcing them to
call me to type in an admin password to install software for them, which I
don't have the time/inclination to do.

[1] If a not very technically inclined user complains they see too many UAC
prompts they are probably doing something wrong and you should help them
figure that out.

~~~
CrowFly
Windows Defender on Windows 10 works fine. You'd be crazy to either disable it
and/or install a different security product.

------
dschiptsov
This, by the way, is a new normal. Organizations, teams and individuals within
an organization, especially its buoracracy have self-preservation and keeping
their status in mind rather than any engineering discipline, leave alone
craftsmanship. Such is the nature of any bloated social formation, be it
government, church, army or corporation.

The very first person who suggested Node http server must be fired that very
day for offensive incompetence. I could hardly imagine any more satirical
example. Hypervisor in Java, perhaps.

But idiots are bullshitting another idiots (PHP, Mongo, Node, Hadoop - you
name it) whose only concern is to convince those one step higher in the
hierarchy that they are still worth keeping, so any bizzare mix of trending
[among idiots] memes would do.

Hey, Bivis, Node is cool, huh huh. Single-threaded callback hell in a language
with implicit coersion, without standard module system (leave alone
versioning) as a yet another useless layer of complexity to utilize lots of
man-hours for o e more year? Lol wut? Node is cool.

So, all this is rather normal.

~~~
jwmerrill
So what technologies do you actually like for writing web servers?

I think this comment is a good example of "contempt culture," which we've
probably all been guilty of, and which we should do less.

[http://blog.aurynn.com/86/contempt-
culture](http://blog.aurynn.com/86/contempt-culture)

~~~
dschiptsov
Considerable amount of intelligence is required to understand that nginx, due
to its design choices and attention to implementation details (which are
hallmarks of truly remarkable systems, such as Plan9/Inferno, Erlang,
Smalltalk, etc) is more portable than Node (it runs on more architectures,
including Windows) require order of magnitude less resources providing close
to optimal effeciecy, could be easily extended via modules and scripted in Lua
with less lines of code, less pain, less nonsense.

BTW, contempt to incompetence or corruption is natural and healthy emotion. It
is what contempt has been evolved for.

------
xorcist
It's absurdities all the way down!

My favorite part is that they use the address pwm.trendmicro.com. (I had to
finger peck that now, my muscle memory kept typing something much more
fitting.)

------
Animats
Is there a US-CERT advisory for this yet?

Why are those APIs even there? A "retrieve all passwords in the clear" API? A
"run browser insecurely" API?

Has anyone considered charging Trend Micro with reckless endangerment or
material support of terrorism?

------
hardwaresofton
On the bright side, they reacted relatively quickly for such a large company,
and fixed the vulnerability.

Whoever is in charge of security for that project must be pretty embarrassed
(or the person doesn't exist)... Also no audit? cmoooon.

------
satuim
Is there any reasonable reason why anti-virus vendors often include shady or
insecure software like this? It honestly the worst case of security theater
where it looks like its helping but is honestly doing the opposite. And I
really wish AVs didn't try to include extras, as this really lowers my
disposition against the (scammy) Anti-Virus market. And this isn't the first
time that an AV turned out to make the computer less secure.

I have Avira Free installed, But only have the AV part and have disabled
Web/Mail Protection. So I am hoping that Avira are trustworthy enough and
don't push anything my way.

~~~
zAy0LfpBZLC8mAC
Of course, it's not the first time. As a matter of principle, antivirus
software cannot work. The whole idea is a scam. So, how is it surprising that
they bundle other equally useless/scammy software?

------
JustSomeNobody
Wow. Feel kinda bad for the TrendMicro team. This has to be rather
embarrassing.

~~~
arianvanp
No I do not feel bad for them at all. More often we see that Antivirus
products are total scams. The people behind it are basically criminal. They
install rogue certificates, are full of exploitable vectors, share our data
with third parties, inject ads in our browser traffic and are just horrible
and slow our computers down. From a security perspective, installing an AV
actually sounds like a really bad idea these days. They're basically really
horrible viruses in disguise. The most horrible kind of virus. These people
need to be shamed and I wish these companies nothing but the worst.

~~~
cobaltblue
I still sympathize with a subset of the ICs, those that must see so many
problems (maybe even futilely trying to fix them) but being crippled from
doing much by internal dynamics. I wish them the courage to pack up and leave
for someplace better, while on those who have been responsible long-term I
agree with you.

------
andrewchambers
Windows defender is the only av I trust to not totally duck up my pc.

~~~
ionised
It's pretty much ineffectual though, as Microsoft themselves admitted some
time ago.

It consistently scored lower than most other products in
detections/heuristics.

The only thing it has going for it is the light foot print.

~~~
ptaipale
I think the other might be that it doesn't have glaring, obvious holes like
Trend Micro.

------
tomcam
Can someone ELI5 why TrendMicro would do this? Sincerely--I don't know what
they get out of it, unless they're bad guys. Not trying to be snarky here.

~~~
JoshTriplett
This seems like a textbook case of Hanlon's Razor
([https://en.wikipedia.org/wiki/Hanlon's_razor](https://en.wikipedia.org/wiki/Hanlon's_razor),
"Never attribute to malice that which is adequately explained by stupidity").
They wanted some way for their website to interact with the user's local
installation of their software, and somehow arrived at the idea of running a
web server on localhost and accessing it from their website, without thinking
through the security implications at all. Even their responses in this bug
show that they _still_ don't really understand the implications.

Less broken software tends to solve this same problem using a browser
extension with a whitelisted domain for access, but that has the disadvantage
of requiring a browser extension for each browser, and doesn't fully protect
against hostile networks. Including the "[https://"](https://") in the
whitelist would provide somewhat more security, especially with HSTS, a pinned
certificate, and a carefully-audited single-purpose domain.

But an even better design would eliminate the entire concept of connecting
back from the vendor website to the client software. Sometimes the right
answer to "how do I" is "don't".

~~~
tomcam
Thanks for the explanation, and...

    
    
        Sometimes the right answer to "how do I" is "don't".
    

Beautifully put.

------
emehrkay
Okay so piecing this together, let me know if I am correct. The TrendMicro
password manager will utilize a ShellExecute command to open a URL defined in
a query string? I feel like not trusting/passing $_GET/REQUEST params was one
of the first things that I learned when doing PHP development 12 years ago. Is
this a concept that needs revisiting with new-age Node developers?

~~~
kevincox
The problem wasn't that they were trusting GET params it's that they forgot
that they weren't the only ones capable of sending requests. If you wrote a
website that could old be accessed by people/computers you trust then trusting
the parameters is no problem.

TL;DR It's not how the data is sent but where it came from.

~~~
emehrkay
Oh okay, the expectation was that the web server that the application run was
to be private to the application and not anything else. I wasn't aware that
apps ran their own web servers, how often is that done?

~~~
pferde
Obviously at least once too often. :)

------
bitmapbrother
The funny part is how the TrendMicro guys keep asking Travis to validate their
fix - as if he's their tech support guy.

------
tclancy
>let's worry about that screw up after you get the remote code execution under
control. Please confirm you understand this report.

This is an awful vulnerability and their immediate attempts at mitigation are
sad but I feel like the Open Source community could do itself a lot of favors
by avoiding this kind of tone. Not everyone working as a programmer is as good
as you. Not everyone working as a programmer is any good. If you care about
security here, why not concentrate on educating them. It's pretty likely the
devs at any consumer hardware company aren't world-beaters; if we wanted that
we would be willing to pay more than $100 for a router. It's also likely any
large company has a chain of command these things have to go down through and
back up again and for every link in that chain there's a greater than 0 chance
the person has no idea about proper security. You may feel the security flaw
is an obvious red flag that should have peoples' hair on fire but not everyone
understands what you do.

~~~
nezza-_-
> If you care about security here, why not concentrate on educating them.

They are selling a security product. They are the ones that should already
know these things.

~~~
tomku
To add on to this, by submitting the bug report, Tavis did not somehow
magically become responsible for educating Trend Micro programmers about
security.

------
wildmXranat
1/11 Trend Micro. Never forget! I can see how it can happen, I really do. Few
code reviews back, I had to request a fix for a remote path traversal able to
read any file on the system.

This is worse since TM is an AV vendor and probably has this deployed across
so many desktops.

------
insulanian
> This bug is subject to a 90 day disclosure deadline. If 90 days elapse
> without a broadly available patch, then the bug report will automatically
> become visible to the public.

Why is it visible already?

~~~
zurn
Because there is a broadly available patch. See eg
[https://googleonlinesecurity.blogspot.com/2015/02/feedback-a...](https://googleonlinesecurity.blogspot.com/2015/02/feedback-
and-data-driven-updates-to.html)

------
bsg75
Can anyone explain why a security product needs a local HTTP server, or why it
needs endpoints at all, let alone 70?

WTF it would have components written in Node or JavaScript?

~~~
detaro
in regards to your second question: Why wouldn't you write components in a
modern, generally well-sandboxed safe language? (Of course you shouldn't break
the sandbox to do so, but using JS in general is not a bad thing)

~~~
bsg75
I guess my (potentially old-school) thinking is that for something that needs
to be a solid as a security layer, integrated with the OS, I would only
consider memory and type-safe languages.

~~~
golergka
Type unsafety of js can lead to exceptions, not buffer overflows.

------
TazeTSchnitzel
Why do browsers let websites send AJAX requests to localhost anyway? I feel
like that's bound to cause trouble.

~~~
Tossrock
It's pretty standard when you're developing a web application. Your backend
runs on your machine, your frontend requests stuff from within the browser.

~~~
TazeTSchnitzel
Sure, but why can external sites access localhost?

~~~
Tyr42
They external sites don't access it, they just ask the browser to load an
image. So the external site can't read the result, but that's not actually
stopping them from owning your machine.

------
tobiaswk
I'm lost for words...

------
Hackless
Jesus Christ on ten motorbikes!

------
Hackless
Jesus Christ on ten motorbikes.

------
api
It's "enterprise"!

------
rcarmo
What could possibly go wrong?

------
daveheq
This is why I don't like installing free AV or paid AV or doing anything other
but burning my computer and living in the woods.

