Cybersecurity firm Trend Micro released an emergency fix this week for critical vulnerabilities in the Password...
Manager component of its Windows antivirus program.
"It took about 30 seconds to spot [an HTTP remote procedure call port for handling API requests] that permits arbitrary command execution," Ormandy wrote in comments posted on the Google Security Research site. "Anyone on the Internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I'm astonished about this."
Ormandy also noted that "this component exposes nearly 70 APIs to the Internet, most of which sound pretty scary," adding: "They need to hire a professional security consultant to audit it urgently."
Trend Micro worked with Ormandy prior to announcing the vulnerabilities on their official blog and releasing a fix.
"The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers," wrote Christopher Budd, global threat communications manager with Trend Micro, adding that no commercial or enterprise products were affected -- only the consumer version of Trend Micro Password Manager. "We released a mandatory update through Trend Micro's ActiveUpdate technology on January 11, 2016, that fixes these problems: All customers should have that now."
Android malware steals two-factor authentication passwords
Meanwhile, Android malware has been detected that's capable of defeating two-factor authentication (2FA) by forwarding voice calls containing onetime passphrases that would ordinarily be received by the authorized users, Dinesh Venkatesan, principal threat analysis engineer at Symantec, reported this week.
Venkatesan reported last year that Android malware -- first detected in 2014 and referred to as Android.Bankosy -- had been observed intercepting short message service (SMS) messages. The malware recently added the ability to forward voice calls, because financial institutions have been moving away from sending the onetime passcodes via SMS.
Although the ability to defeat 2FA should be a concern, Symantec rated the Android.Bankosy malware as "Risk Level 1: Very Low," in part because it must be installed manually on the victim's device.
Cisco backdoors and default passwords
Cisco had a rough week, reporting several new vulnerabilities, as well as an unexpected default password change. First, there was a critical backdoor vulnerability in the admin portal of devices running Cisco Identity Services Engine software that "could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device."
Cisco reported another critical vulnerability -- this one in devices running Cisco Wireless LAN Controller: "An unauthorized access vulnerability that could allow an unauthenticated, remote attacker to modify the configuration of the device." According to Cisco, a successful exploit of this vulnerability could "compromise the device completely."
Cisco also reported a vulnerability in its Aironet 1800 Series Access Point devices, which "could allow an unauthenticated, remote attacker to log in to the device by using a default account that has a static password." In other words, a hardcoded, static password -- though Cisco softened the blow by noting that: "By default, the account does not have full administrative privileges."
All of these vulnerabilities have been patched.
And in the "what the heck" department, Cisco apparently shipped "a number" of C-Series servers with the factory default password set to "Cisco1234," rather than the usual password, befuddling buyers who couldn't log in. The affected systems were manufactured between Nov. 17, 2015, and Jan. 6, 2016.
One less backdoor
In an official response to last month's reports about backdoors in Juniper Networks' products, the network security firm announced that it would be removing the Dual_EC pseudo-random number generator code that was reported to have been subverted by the National Security Agency.
"After a detailed review, there is no evidence of any other unauthorized code in ScreenOS, nor have we found any evidence of unauthorized code in Junos OS," wrote Bob Worrall, CIO at Juniper Networks, adding that Juniper would be making changes to the ScreenOS random number generation subsystem.
"We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016," he wrote.
In other news
- New York state legislator Matthew Titone filed a bill to ban the sale of encrypted smartphones in New York last June; this week, it was reported that bill has been advanced for review by a committee in the New York state assembly. While the proposed law does not ban smartphone encryption, it would ban the sale or lease of any smartphone in the state "that is not capable of being decrypted and unlocked by its manufacturer." Such a ban would include most current models of smartphone, both Apple iPhone and Android phones.
- Adobe released security updates for 17 vulnerabilities in their Adobe Acrobat and Reader products for Windows and Mac systems. While the vulnerabilities are all rated "critical," and, if exploited, could allow attackers to take control of an affected system, Adobe's priority rating for the updates was set to "Priority 2." This means that currently, there are no known exploits, and Adobe does not anticipate any imminent exploits, but the patches should still be installed within 30 days.
Get some advice on identifying and preventing router vulnerabilities.
Find out more about how the NSA may have been involved with weakening the Dual_EC algorithm.