Network Security, Vulnerability Management

Two researchers report 200 bugs in Trend Micro tools

Trend Micro may be one of the world's biggest vendors of cybersecurity solutions, but that hasn't made it immune from hacks into its software, according to a report on Forbes.

In fact, over the past six months a team of security researchers have detected more than 200 flaws across nearly a dozen of the Japan-based vendor's suite of products.

White hat hackers Roberto Suggi Liverani and Steven Seeley began reporting bugs to the security company last July and have since uncovered what they said to be 223 weaknesses across 11 Trend Micro products. Nearly 200 of the bugs, they said, can be exploited remotely, meaning an attacker anywhere on the globe could gain control without the owner even being aware.

One of the more particularly nasty flaws – an unauthenticated remote code execution vulnerability – was detected in Trend Micro's data loss prevention tool. Attackers could usurp control of the server running the software, which would then enable them to distribute malicious updates to any PC or client tethered to the server.

Other flaws involved unauthenticated remote code exploit in TM's InterScan tool and an unauthenticated stored cross-site scripting (XSS) flaw, which could enable phony administrators to execute malicious Java code, which consequently could grant them control of the target server. Once there, they could extract data or alter service settings.

While the report said that Trend Micro has been responsive to the researchers' notifications and issued a number of fixes, Seeley stated that some of the patches were inadequate.

In a statement, Jon Clay, global director of threat communications at Trend Micro, said the company "takes every vulnerability found within our products seriously regardless of whether it is multiple submissions or a single submission."

Clay told SC Media on Thursday that the data loss prevention (DLP) product mentioned in the Forbes article has reached its official end of support (EOS) date. Customers have been advised to migrate to an alternate solution that is not affected.

"It is also important to note that there is no evidence that suggests that any of the proof of concept exploits reported to us were ever used publicly," Clay told SC. "While vulnerabilities are an unfortunate reality of any software development, we are also working proactively with our R&D teams to address and improve areas in which our development process can be strengthened."

Suggi Liverani and Seeley are scheduled to appear at a hacking conference in Amsterdam in April to demonstrate their exploits.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.