Is having a false sense of security worse than having no security at all?
That's one reaction to the December revelations that beginning in 2012, the ScreenOS firmware that runs Juniper Networks' NetScreen firewalls had been altered to include code that attackers could use to remotely access the devices, without leaving a trace, as well as decrypt VPN traffic. Many security experts suspect that the "unauthorized code" found by Juniper was inserted by up to three different intelligence agencies (see Juniper Firmware: New Crypto Flaw Found).
This week, meanwhile, Trend Micro confirmed that one of its consumer products had a vulnerability that could be remotely exploited to run any code on a target's machine. The security vendor says it has now patched the flaw - which was in its consumer Password Manager application - and that users have been automatically updated.
The flaw came to light Jan. 11 following the patch, when Google's security team published full details of the vulnerability, as well as related correspondence between Google security engineer Tavis Ormandy, who discovered the flaw, and Trend Micro (see Google's Psychological Patch Warfare).
"We worked openly with Tavis during the disclosure and mitigation phase and we had two mandatory patches out through our auto-update servers in two and three days respectively from the day when the vulnerability was reported to us," Rik Ferguson, vice president of security research at Trend Micro, tells me. "Of course it's better to have no vulnerabilities at all, but in a real-world scenario, having the ability to listen, to engage and to resolve rapidly is invaluable."
Bug Report Timeline
Ormandy first reported the flaw to Trend Micro on Jan. 5, advising the security firm that the related bug report would automatically be made live after the bug was fixed, or else 90 days later, as is common practice with flaws found by Google's Project Zero bug-hunting team (see FireEye Patches Flaw Found by Google).
"When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup," Ormandy wrote in his bug report, adding that the product opens multiple remote procedure call HTTP ports to accept API requests. "It took [me] about 30 seconds to spot one [API] that permits arbitrary command execution," he said. "This means any website can launch arbitrary commands." As a result, if a user visited a website that served the command-execution code, then it could remotely run code via the Password Manager.
To demonstrate the flaw, Ormandy's bug report included a proof-of-concept exploit that would allow a remote attacker to uninstall the Trend Micro Maximum Security 10 software.
Just working on my Trend Micro exploit. pic.twitter.com/XQXN7hjHEt
Trend Micro quickly confirmed the flaw to Ormandy, and began releasing patched software just two days later.
Ormandy's published correspondence with the security firm, however, sees him sounding increasingly exasperated with the quality of its code. "I'm still concerned that this component exposes nearly 70 API's (!!!!) to the Internet, most of which sound pretty scary. I tell them I'm not going to through them, but that they need to hire a professional security consultant to audit it urgently," he wrote in an update to his bug report on Jan. 7.
The next day, however, Ormandy said he'd begun going through the APIs and found several additional problems, including a way to remotely steal any passwords being stored in the password manager, using the now patched flaw he'd reported to Trend Micro. "To be clear, you can get arbitrary code execution whether they're using it or not, but stealing all the passwords from a password manager remotely doesn't happen very often, so I wanted to document that," he said.
Reaction to the news of the remote code execution vulnerability from many members of the security community - such as penetration testing expert Chris Rohlf, who's part of the Black Hat conference paper-review team - was that yes, even security products sometimes have critical security flaws.
If you're shocked by a trivial RCE in Trend Micro then you're probably new to this.
Intel Security Patches MAC
Of course, security software is often the focus of researchers' efforts, and they may issue bug reports as a result. For example, security consultant René Freingruber at SEC Consult Vulnerability Lab in Vienna on Jan. 12 published a paper detailing how Intel Security's McAfee Application Control software - widely used to secure critical infrastructure systems - could be bypassed. Freingruber said he identified ways in which social engineering and memory corruption could be exploited to bypass protection mechanisms built into the code.
But Intel Security spokesman Chris Palm tells me that the security firm doesn't believe users are at risk. "Upon learning of the researchers' concerns last summer, we promptly investigated the scenarios posed," he says. "We concluded that customers following our standard deployment configuration guidance are protected from these scenarios."
Separately, however, a medium-severity flaw was found in McAfee Application Control version 6.1.0, before build 706, 6.1.1, which on Jan. 12 was designated as CVE-2016-1715 by the U.S. National Vulnerability Database. McAfee has confirmed that flaw and released an update that patches the vulnerability.
How Should We Judge Security Vendors?
That's not to pick on Intel Security, but rather to show a partial week in the life of a security vendor: bug reports, related internal investigations and oftentimes, the release of a patch (see Fortinet Refutes SSH 'Backdoor' Report).
Of course, that process begs this question: Beyond employing top-notch software engineering practices, what should security vendors do about flaws in their security products' code base, no matter how they get there?
"It's certainly true to say that all software suffers from vulnerabilities - the real measure of an organization is how they engage with those vulnerabilities that are reported, how open they are with the entity making the report and how rapidly they can mobilize to get a fix in place," Trend Micro's Ferguson says. "Honesty, transparency and alacrity are key, and I'm proud to work for an organization that clearly displays all three."
In an ideal world, of course, it would be great if security vendors - stripped of time-to-market pressure, developers having a bad day and other concerns - brought ninja-level software and security engineering practices to bear on every product they developed, acquired or released. Pending such halcyon moments, however, and irrespective of feature testing by independent labs, "honesty, transparency and alacrity" seems like the collective next-best benchmark for which we'll have to settle.