This is critical. For all Trend Micro‘s Antivirus users: your Windows computer is in danger!!
Someone might be attacking your PC right now. All thanks to a small, yet critical bug in the app.
Soon after the incident, Trend Micro, released an emergency patch. This patch will fix the critical flaws in the app. Without this patch, a hacker can control your system and execute remote arbitrary commands. That if we exclude your password. If you’ve been using the Password Manager feature, you might have lost your passwords as well.
Now, here is the bad news. Even if you know the threat is there, there’s nothing you can do. The Password Manager is a built-in feature of Trend Micro’s Antivirus. That means one thing. You can’t remove it. Unless you remove the whole antivirus app.
Our Nightmare Bug
We asked experts about this bug. One of them is Tavis Ormandy. Currently, he works as a security researcher for Google’s Project Zero. Here is what he told us. The real threat lies inside the Password Manager feature. A bug lives there. With a proper tool, a hacker can remotely execute the bug. Next step? All your passwords are lost.
So, how does the Password Manager Work? How can it be our real problem?
Here is how it works. By default, The Password Manager boots a Node.js server on your local computer. This happens every time you start the Antivirus. When Ormandy analyzed the Password Manager, he found something interesting. The Node.js server leaves some HTTP RPC ports opened. Typically, we use these ports to handle API requests. However, there is a strict security protocol about these ports. Any port must be closed after completing a request. This to prevent remote control over the system.
So, what if someone forgot to close it? Hackers can place malicious links inside the port. This is what we have with Trend Micro Antivirus. The links were placed at “http://localhost:49155/api/.” Once a user clicked the link, it will allow hackers to take over the system remotely. All involves zero user interaction.
In other words, the hacker doesn’t need to touch your system. Everything is done remotely. Not even you know you’re being attacked.
Even if you knew it, you have probably lost your passwords.
But, this is not the end. Travis also found something else. The same bug also exposes at least 70 APIs through the same server. That means more door for hackers.
An Annoying Bug with Self-Signed SSL Certificate
2015 was probably the worst year for Dell and Lenovo. Malware was found pre-installed on their laptops. You sure remember about Dell’s eDellRoot and Lenovo’s Superfish, don’t you? These two successfully ruined everything we know as safe products. Pre-installed malware???? Are they joking?
Well, the good news is Lenovo and Dell responded. Patches were released soon after. The malwares were removed, but not the real problem. That’s how we’re mistaken. The real problem is not the malware. The real one is our own system. It is getting easier to breach. Those security certificates are supposed to prove our security. They are supposed to prove that we’ll always be safe on the web. The truth? These certificates are playing with us. Those hackers are playing with us. They give us fake certificates to ‘ensure’ our safety. The fact is, they lie. The only thing they want us to do is ‘believe that we are safe.’ Once we believe that, they will use our confidence to attack us. This is how a psychological war begins. People are getting aware of their security. In that case, the best way to deploy cyber attack is by attacking our consciousness.
This is how today’s bug and malware work.
And what are we supposed to do?
Independently safe. We are supposed to be like this. We shouldn’t be relying too much on those certificates. They are helpful, yes. I can’t deny that. But, relying too much is no less dangerous than real cyber attacks. Any bug and malware can modify any certificate. All because we trust them too much. Pre-installed malware is just the beginning. The second step has already begun. The second step: self-signed SSL certificate. Guess what? The bug is behind it.
This time the culprit is Trend Micro’s Antivirus. The app adds its own self-signed SSL certificate. Then, they add it to user’s certificate store. With this ‘dangerous’ certificate, no user will see any HTTPS errors.
Now, this is what we call as: RIDICULOUS.
So, what does this self-signed certificate do? It intercepts your encrypted traffic. This is similar to Superfish and
eDellRoot. With this, the bug knows every website you visit.
As of now, a patch is available for the bug. Thanks to Ormandy and Trend Micro’s team, you can now download the patch from Trend Micro. Please get the patch immediately to secure your PC.