/ Apps / Another antivirus maker put Google Chrome users at risk

Another antivirus maker put Google Chrome users at risk

Andrea on January 25, 2016 - 3:44 pm in Apps

 

trend-chrome-fail
Once again, a company that develops security software has been caught putting Google Chrome users in harm’s way. Google discovered a Trend Micro extension that left them vulnerable to attack.The extension? Trend Micro’s Password Manager. Yes, an extension that’s designed to keep its users’ website credentials safe and secure — that’s developed by one of the world’s foremost antimalware software providers — was released into the wild with vulnerabilities that could have allowed an attacker to remotely execute arbitrary code. As you can see from Google’s screenshot, all it took was a bit of specially-crafted JavaScript.

You won’t find their Password Manager in the Chrome Web Store. That’s because it’s delivered during the installation of their Windows antivirus software or as a standalone app. If you had it hooked to your Google Chrome, your browser was unwittingly exposing 70 of its APIs to the Internet. Thankfully, it doesn’t appear as though the Trend vulnerability was being actively exploited and the original issue has been fixed.

The resolve, however, apparently doesn’t completely lock things down. According to one Chromium contributor, Trend’s fix — to implement header checks — is fairly easy to defeat with something like a Trojanized PDF.

Trend isn’t the only company Google has called out recently. Engineers just got finished resolving a similar issue with AVG over their Web TuneUp extension. Fortunately for Chrome users, Tavis Ormandy and his team are on top of the situation. It’d just be nice if security software vendors would stop creating busywork for them.

Source: Apps – Geek.com

0 POST COMMENT

Send Us A Message Here

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>