This article is more than 1 year old

Kaspersky and Trend Micro get patch bonanza after ID flaw and password manager holes spotted

Quis custodiet ipsos custodes?

Kaspersky and Trend Micro have released updates to address vulnerabilities in their respective security tools.

The updates come on the heels of the monthly security patch dumps from Microsoft, Adobe, Apple, and SAP, giving admins one more update to test and install on user systems.

Kaspersky's fix addresses a privacy hole discovered and reported to the company by German tech magazine C't.

Reporter Ronald Eikenberg found that the Kaspersky antivirus software was injecting JavaScript into websites (an intended behavior used to check for malware) and including with that code a unique identifier. The code, and identifier, were also viewable to the website operator.

"In other words, any website can read the user's Kaspersky ID and use it for tracking," Eikenberg explained. "If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used."

Kaspersky, for its part, downplayed the risk posed by the behavior but did acknowledge it had been in contact with Eikenberg and had agreed to stop including unique identifiers as part of its web antivirus tool

"Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests," a spokesperson said in a statement to The Register.

"This change was made after Ronald Eikenberg reported to us that using unique identifiers for the GET requests can potentially lead to the disclosure of a user’s personal information."

"After our internal research, we have concluded that such scenarios of user’s privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process."

patch

Intel: Listen up, you NUC-leheads! Mini PCs and compute sticks just got a major security fix

READ MORE

For Trend Micro, the update will address a pair of DLL hijacking vulnerabilities in Password Manager 5.0 in Windows. The password tool is included in the Premium Security 2019 and Maximum Security 2019 suites.

Peleg Hadar of SafeBreach Labs and Trần Văn Khang from Infiniti Team got credit for reporting CVE-2019-14684 and CVE-2019-14687 and found two separate errors that would allow an attacker to trick the Trend Micro password tool into executing code from unsigned DLLs.

While such a scenario would mean a complete takeover of the target machine, keep in mind that in order to exploit it an attacker would not only have to know that the target was running the vulnerable Trend password manager, but also have the ability to place the malicious DLLs on the PC.

Still, those running Trend Password Manager 5.0 (also known as 2019) should update to build 5.0.0.1058 or later. ®

More about

TIP US OFF

Send us news


Other stories you might like