Last month we brought you the news that a bug in the popular AVG antivirus ended up exposing the private data of 9 million users. While we see this sort of thing all too regularly from companies, it’s especially upsetting when it comes from a program that’s specifically designed to keep your data safe. Unfortunately, only a couple of weeks later, we’ve got word that another popular antivirus suite left peoples’ information wide open.
The issue that happened with AVG wasn’t specifically with its antivirus, but with a Chrome extension that was installed along side it. The same is true of the latest security hole, this time found in Trend Micro’s antivirus suite. Specifically, the issue was found in Trend Micro’s Password Manager, which is installed with the antivirus on Windows machines.
Apparently Trend Micro was using an API that invoked an “ancient” version of Chromium, from back in January of last year. By doing this, the program actually breaks itself out of its sandbox, and allows an attacker to run other local programs on the machine. This could be used to execute any number of remote attacks. What’s more, all of the password that were being “securely stored” were actually able to be read clearly, thanks to this vulnerability.
I think the message this sends is pretty clear. If you need an antivirus, use one that doesn’t install anything else on your machine. The extra add-ons seem to be doing more harm than good. Trend Micro has managed to fix this vulnerability, as did AVG. But they simply shouldn’t have ever existed in the first place, as millions of users had their data put at risk, as a result.