Serg Nvns - Fotolia

Trend Micro Password Manager flaw; backdoors and passwords

In this roundup, Trend Micro's Password Manager flamed over JavaScript flaw; Android malware breaks two-factor authentication; Cisco vulnerabilities; Juniper backdoor update and more.

Cybersecurity firm Trend Micro released an emergency fix this week for critical vulnerabilities in the Password Manager component of its Windows antivirus program.

The Trend Micro Password Manager -- written in JavaScript using Node.js -- is part of the company's consumer antivirus product, and allows users to store and manage their passwords. However, antivirus software is not considered a good candidate to manage other functions because it usually requires high levels of system privileges, so it can detect and remove malware. The flaws Google Project Zero researcher Tavis Ormandy discovered would have permitted attackers to perform remote code execution, as well as access all user passwords stored in the Password Manager because of the elevated privileges.

"It took about 30 seconds to spot [an HTTP remote procedure call port for handling API requests] that permits arbitrary command execution," Ormandy wrote in comments posted on the Google Security Research site. "Anyone on the Internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I'm astonished about this."

Ormandy also noted that "this component exposes nearly 70 APIs to the Internet, most of which sound pretty scary," adding: "They need to hire a professional security consultant to audit it urgently."

Trend Micro worked with Ormandy prior to announcing the vulnerabilities on their official blog and releasing a fix.

"The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers," wrote Christopher Budd, global threat communications manager with Trend Micro, adding that no commercial or enterprise products were affected -- only the consumer version of Trend Micro Password Manager. "We released a mandatory update through Trend Micro's ActiveUpdate technology on January 11, 2016, that fixes these problems: All customers should have that now."

Android malware steals two-factor authentication passwords

Meanwhile, Android malware has been detected that's capable of defeating two-factor authentication (2FA) by forwarding voice calls containing onetime passphrases that would ordinarily be received by the authorized users, Dinesh Venkatesan, principal threat analysis engineer at Symantec, reported this week.

Venkatesan reported last year that Android malware -- first detected in 2014 and referred to as Android.Bankosy -- had been observed intercepting short message service (SMS) messages. The malware recently added the ability to forward voice calls, because financial institutions have been moving away from sending the onetime passcodes via SMS.

Although the ability to defeat 2FA should be a concern, Symantec rated the Android.Bankosy malware as "Risk Level 1: Very Low," in part because it must be installed manually on the victim's device.

Cisco backdoors and default passwords

Cisco had a rough week, reporting several new vulnerabilities, as well as an unexpected default password change. First, there was a critical backdoor vulnerability in the admin portal of devices running Cisco Identity Services Engine software that "could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device."

Cisco reported another critical vulnerability -- this one in devices running Cisco Wireless LAN Controller: "An unauthorized access vulnerability that could allow an unauthenticated, remote attacker to modify the configuration of the device." According to Cisco, a successful exploit of this vulnerability could "compromise the device completely."

Cisco also reported a vulnerability in its Aironet 1800 Series Access Point devices, which "could allow an unauthenticated, remote attacker to log in to the device by using a default account that has a static password." In other words, a hardcoded, static password -- though Cisco softened the blow by noting that: "By default, the account does not have full administrative privileges."

All of these vulnerabilities have been patched.

And in the "what the heck" department, Cisco apparently shipped "a number" of C-Series servers with the factory default password set to "Cisco1234," rather than the usual password, befuddling buyers who couldn't log in. The affected systems were manufactured between Nov. 17, 2015, and Jan. 6, 2016.

One less backdoor

In an official response to last month's reports about backdoors in Juniper Networks' products, the network security firm announced that it would be removing the Dual_EC pseudo-random number generator code that was reported to have been subverted by the National Security Agency.

"After a detailed review, there is no evidence of any other unauthorized code in ScreenOS, nor have we found any evidence of unauthorized code in Junos OS," wrote Bob Worrall, CIO at Juniper Networks, adding that Juniper would be making changes to the ScreenOS random number generation subsystem.

"We will replace Dual_EC and ANSI X9.31 in ScreenOS 6.3 with the same random number generation technology currently employed across our broad portfolio of Junos OS products. We intend to make these changes in a subsequent ScreenOS software release, which will be made available in the first half of 2016," he wrote.

In other news

  • New York state legislator Matthew Titone filed a bill to ban the sale of encrypted smartphones in New York last June; this week, it was reported that bill has been advanced for review by a committee in the New York state assembly. While the proposed law does not ban smartphone encryption, it would ban the sale or lease of any smartphone in the state "that is not capable of being decrypted and unlocked by its manufacturer." Such a ban would include most current models of smartphone, both Apple iPhone and Android phones.
  • Adobe released security updates for 17 vulnerabilities in their Adobe Acrobat and Reader products for Windows and Mac systems. While the vulnerabilities are all rated "critical," and, if exploited, could allow attackers to take control of an affected system, Adobe's priority rating for the updates was set to "Priority 2." This means that currently, there are no known exploits, and Adobe does not anticipate any imminent exploits, but the patches should still be installed within 30 days.

Next Steps

Learn about security researcher Tavis Ormandy's work on other antivirus vulnerabilities in 2015.

Get some advice on identifying and preventing router vulnerabilities.

Find out more about how the NSA may have been involved with weakening the Dual_EC algorithm.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal