Security researchers found and disclosed more than 200 vulnerabilities in Trend Micro security products since July...
2016. Despite the severity of flaws experts don't foresee lasting damage to the company's brand.
Security researchers Roberto Liverani and Steven Seeley discovered and reported 223 flaws to Trend Micro since July 29, 2016. The vulnerabilities were found in 11 different Trend Micro security products and 194 would be considered critical, allowing remote code execution without user interaction. One issue in Trend Micro Data Loss Prevention could even lead to a full network compromise.
Jon Clay, global director of threat communications at Trend Micro, noted the vulnerabilities were not found in the company's endpoint or Deep Security products.
"Trend Micro takes every vulnerability found within our products seriously regardless of whether it is multiple submissions or a single submission," the company said in a statement. "We know there is a growing interest and level of activity in vulnerability research, and we are dedicated to rapidly addressing any issues that are uncovered by the research community."
Trend Micro told SearchSecurity that its Data Loss Prevention product has reached its official End of Support date and "customers have been advised to migrate to an alternate solution that is not affected."
"It is also important to note that there is no evidence that suggests that any of the proof of concept exploits reported to us were ever used publicly," a Trend Micro spokesperson said. "While vulnerabilities are an unfortunate reality of any software development, we are also working proactively with our R&D teams to address and improve areas in which our development process can be strengthened."
Seeley told Forbes that Trend Micro was quick to respond to the vulnerability disclosures but questioned the company's security audits and said one patch Trend Micro issued "completely failed."
Jon Miller, chief research officer at Cylance Inc., agreed that code reviews should have found the flaws in Trend Micro security products.
"The same methodology that is used to find these vulnerabilities by third parties needs to be completed by the authors before they release the product to consumers," Miller told SearchSecurity. "However it can only happen after the code has been written and normally the priority is to get the product to market."
Chris Eng, vice president of research at Veracode, said his advice to Trend Micro would be the same as he'd give to any software company.
"Security companies should incorporate security into all phases of the development process. That includes training developers on secure coding as well as ensuring security testing is conducted throughout development and certainly prior to release," Eng told SearchSecurity. "Security testing doesn't find 100% of issues, so they should also have processes for responding to vulnerability reports to ensure they communicate transparently with researchers around timeframes for patching."
Trust and brand damage
Experts generally weren't surprised to hear of so many vulnerabilities found in a security company's products and said many similar companies have not earned the trust of users.
Chris Bisnett, co-founder of Huntress Labs, said Microsoft had similar issues in the early 2000s and ultimately had to "completely redesign their software development lifecycle."
"Now many of their products are extremely well-written and tested. In some aspects, they are industry leaders in security. Considering that, any company can rebound if they make it a priority," Bisnett told SearchSecurity. "Trust is earned and 200-plus vulnerabilities demonstrate a significant failure to care about the security of the customers they are protecting. With that said, most complex software is probably just as vulnerable regardless of the vendor."
Miller agreed that customers "shouldn't trust any of their vendors"
"Contrary to marketing, nothing stops 100% of attacks, no solution is the silver bullet, and the only way we will move past incidents like this is if consumers start holding vendors accountable," Miller said.
Despite the view that users should distrust Trend Micro, experts don't foresee any lasting damage to the company's brand.
Paul Calatayud, CTO at FireMon, said he doesn't expect these issues "will materially impact Trend in the long run."
"The lesson here is to understand that security companies are comprised of people developing software more than security practitioners," Calatayud told SearchSecurity. "Many companies have fallen victim to cyberattacks and security companies are not immune. In some respects, they are more of a target than most given the fact that they are often promoting how their products can stop the bad guys."
Eng said Trend Micro "can absolutely rebound from this."
"Trend Micro is hardly alone here. Similar vulnerabilities have been found in other AV products, and it's not uncommon to find rampant vulnerabilities in legacy products that were built under a less robust [software development life cycle]," Eng said. "There is no reason to think Trend Micro won't be able to address these issues. This may serve as a wake-up call to rethink and improve upon the security processes that they already have."
Bisnett said the frequent critical vulnerabilities found by Google Project Zero could mean "the entire industry will feel some of this blow back."
"As for Trend Micro specifically, it seems likely they will weather this blow just as Target weathered their massive breach," Bisnett said. "Consumers are saturated by the threat of hackers, and I personally feel many consumers have grown numb."
Learn more about how the code review process can breed better developers.
Find out about security flaws found in Kaspersky and FireEye products.
Get an overview on Trend Micro's email encryption.