April 12, 2010

Many anti-virus products — particularly the “Internet security suite” variety — now ship with various Web browser toolbars, plug-ins and add-ons designed to help protect the customer’s personal information and to detect malicious Web sites. Unfortunately, if designed poorly, these browser extras can actually lower the security posture of the user’s system by introducing safety and stability issues.

The last time I caught up with security researcher Alex Holden, he was showing me a nifty way to crash IE6 and prevent the user from easily reopening the badly outdated and insecure browser version ever again. Just the other day, Holden asked me to verify a crash he’d found that affects users who have Trend Micro Internet Security installed, which installs a security toolbar in both Internet Explorer and Mozilla-based browsers on Microsoft Windows.

The video here was made on a virgin install of Windows XP SP3, with the latest Firefox build and a brand new copy of Trend Micro Internet Security. Paste a really long URL into the address bar with the Trend toolbar enabled, and Firefox crashes every time. Do the same with the toolbar disabled, and the browser lets the Web site at whatever domain name you put in front of the garbage characters handle the bogus request as it should. This isn’t limited to Firefox: The same long URL crashes IE8 with the Trend toolbar enabled, although for some strange reason it fails to crash IE6. I didn’t attempt to test it against IE7.

This crash could be benign, or it may be possible to use it to attack the browser. But, as Holden said, this is a very basic — Programming Security 101-type bug — that should not be found in such a widely used security software product.

“The resulting crash of the browser may have buffer overflow conditions which would potentially open up a computer to full user-level privilege from a malicious attacker,” said Holden, director of enterprise security at Cyopsis LLC., a Denver-based security firm. “The scope and simplicity of this exploit opens up the possibilities for redirects, site links or even the shortened URLs used on popular social media sites such as Twitter and Facebook to be exploited.”

I notified Trend about this bug roughly two weeks ago. The company said it expects to ship a downloadable hotfix on Tuesday, April 13 to correct this flaw.

Update, 6:27 p.m. ET: Corrected the date to read Tuesday, April 13.


24 thoughts on “TrendMicro Toolbar + Long URL = Fail

  1. Phoenix

    I see Trend Micro has a Mac version; I wonder how it works.

    1. MK

      It “works” just like every other antivirus suite for Mac. That is, it unnecessarily uses system resources in order to “protect” it from Windows executables that won’t work in the first place.

      1. xAdmin

        While I don’t rely on Anti-malware software as my primary defense (on Windows), it is one important layer in a multi-layered defense. It does provide value in being able to detect known malware (and stop it) should it get past my other defenses. To think this doesn’t apply to Mac OS X is naive. There is malware out there that can compromise OS X. While it is your choice, I wouldn’t purposely take away one of my defenses. To do so is foolhardy.

        1. Mike

          It is a reasonable position to decide that it makes no sense to slow down every single file operation on a machine in order to protect against essentially nothing. I think that most people don’t understand just how bad AV is against identifying modern malware, and just how little point there is in wasting resources on it. To do so on a platform that’s not even targeted by the malware the AV is looking for is defensible only if you’re forced to do so (for example, by a policy based on compliance rather than a risk assessment).

        2. MK

          xAdmin-

          “It does provide value in being able to detect known malware (and stop it) should it get past my other defenses. To think this doesn’t apply to Mac OS X is naive.”

          Please provide a link, news item, or any other shred of information on a self-executing, self-propagating virus for OS X in the wild.

          “There is malware out there that can compromise OS X.”

          Yes, there is. All of which require administrator verification (inputting the administrator password) to run. No malware detection system will defend against that.

          1. Dave

            “All of which require administrator verification (inputting the administrator password) to run. No malware detection system will defend against that.”

            That is patently false and a foolish claim to make.

            There are 2 likely scenarios.

            In the first, the malware detection blocks the exploit even before the request for admin verification.

            In the other, something executed or downloaded after granting Admin access, triggers the malware detection and blocks execution.

            In either case, the malware detection can defeat the social engineering employed to encourage a naive administrative verification.

          2. dward

            Not. True. Not thought out.

            Here’s a keyword to search. “pwn2own”

            Education is a beautiful thing.

        3. Antonio

          Have you considered the trade-off of your increased attack surface due to these complex parsers commonly running with elevated privileges in your analysis of how running A/V increases your security posture?

  2. Randy Duermyer

    Do you have any idea how this works with the Norton security toolbar in Firefox or IE8?

    I find the toolbar to be rather annoying, but my cable ISP just switched from McAfee to Norton and I don’t know if I’m better off with the toolbar enabled or disabled.

    Thanks for bringing this to light.

    1. BrianKrebs Post author

      No, Randy. Sorry, I haven’t played much with the toolbars installed by other security suites yet.

      1. dward

        BK- love to see some pwn2own analysis. I heard some very interesting techniques were employed by some to thwart DEP & Memory Ramdomization. For that matter I don’t recalling seeing any work from you that’s more of a “what the future might bring”. Could DEP be our salvation if developers code properly to it? If you wrote about it my apologizes. Love the work.

    2. xAdmin

      It looks like the Norton Toolbar (see link below) doesn’t provide much value beyond what is already built-in to the latest versions of IE or Firefox.

      Bottomline, I wouldn’t recommend storing your credentials even in the built-in browser features (AutoComplete). It’s one of the first things I disable in my browser. I would rather have to type them in everytime for better security. That way you don’t have to worry about malware possibly being able to steal that information or if someone gets physical access to your computer, being able to use that info to get into your accounts.

      http://www.symantec.com/norton/products/tutorials/overview.jsp?pvid=nis2010&tutid=norton_toolbar

      1. JCitizen

        I think using NIS 2010 and its site advisor and indentity safe are better than nothing, which is what a lot of people use.

        When using the ID safe feature, I never find personal data on the hard drive, and the information sent is encrypted, and so is anything entered and saved as a password.

        I don’t see how this could be a problem as I never had crashes, vulnerabilities, or slow downs after installing this feature. Norton did a good job updating the FireFox and IE 8 plugin as well.

        I agree Norton was the pits just two years ago, but for people who are security disabled, I still think it has merit. I can’t recommend any other suite though, for the same reasons you site.

        I do not work for Norton or any other corporation, and I do not sell software, I just like to clear the air on web security and help as many folks as I can, even if I have to do it for free!

    3. JCitizen

      It is better than nothing. I have scanned computers using this data security feature and can find no personal data stored anywhere, so it must be doing it’s job of encrypting anything you enter into the vault.

      It never hurts to use CCleaner to delete saved password or form data for both FireFox and IE 8 – they both have a bad habit of saving data that is not entered by the vault feature.

      If you do not like it, disable it and try any of the fine password/secure data utilities rated by users on CNET.

      Most seem to like RoboForm.

      I have found NIS to have a more accurate site evaluator than McAfee’s. It is not three months behind like Site Advisor.

    4. JCitizen

      It is better than nothing. I have scanned computers using this data security feature and can find no personal data stored anywhere, so it must be doing it’s job of encrypting anything you enter into the vault.

      It never hurts to use CCleaner to delete saved password or form data for both FireFox and IE 8 – they both have a bad habit of saving data that is not entered by the vault feature.

      If you do not like it, disable it and try any of the fine password/secure data utilities rated by users on CNET.

      Most seem to like RoboForm.

      I have found NIS to have a more accurate site evaluator than McAfee’s. It is not three months behind like Site Advisor.

      I have never noticed crashes or slow downs either.

  3. xAdmin

    I loathe add-on toolbars! While some are very useful tools, most are just outright garbage and just bog down the browser and cause problems, especially when there are multiple ones installed.

    They bother me on multiple fronts:

    First of all, it goes against the idea of limiting what software is installed in order to reduce the attack surface of a system and to minimize what needs to be patched/maintained. Second, they inevitably cause performance issues either crashing the browser or causing strange behavior or at a minimum user confusion. Third, modern browsers already have various safety features built-in that preclude any benefit of additional toolbar add-ons (albeit the few that do add value such as NoScript for Firefox).

    On a final note, many of these “Security Suites” are bloatware installing every possibly type of “feature” to give the sense you are getting a good value and are being fully protected. As if that’s all you need to do in order to protect your computer. That’s a false sense of security if there ever was one. 🙁

  4. Tom Seaview

    Another great reason to stick with Microsoft Security Essentials.
    Of course, you’ll never see MSSE on a new PC, since Microsoft won’t pay the OEMs kickbacks to install a trial version like Symantec, McAfee, and TrendMicro do.

  5. Dave

    If you want to test this issue with a “legitimately” long URL (meaning one that would actually redirect you somewhere, rather than the error message you displayed in FF), try

    freakinghugeurl.com

    especially with the “Holy Cr@p!” option, for a 512 character URL.

  6. JCitizen

    Just before I ended using Norton Internet Security 2010, Secunia PSI rated their plug-ins secure. Norton usually did a good job of updating it before vulnerabilities/exploits were discovered in the wild.

    Personally I don’t use AV suites, but my clients will use them, so I recommend NIS 2010 for users who need hand holding.

    I prefer LastPass myself.

    CCleaner set correctly will erase many of the form data folks accidentally leave behind after an SSL session. I use Identity Finder to root out these personal data sets, and erase, smudge out, or encrypt these documents.

    I do not work for any single person or company: It is just my life’s obligation to spread the security word, as I hate web criminals and their nefarious activity!

    I thank Brian for allowing me to continue posting on his blog, as I don’t plan to start one of my own.

  7. Philip

    It’s the last twitches of the AV industry. They add warning pop-ups plugins tool bars fishing philters ID theft prevention bling warn alert! and what not to their “tools” only to pretend that they still have an edge. Well, they don’t. All they’re good for by now is to act as a coroner and to identify the bullet that got you – long after rigor mortis set in.

  8. AV Myths

    “But, as Holden said, this is a very basic – Programming Security 101-type bug – that should not be found in such a widely used security software product.”

    Not according to Russ Cooper. He thinks people shouldn’t get upset over things like this and he was on his way to giving RISKS Digest a piece of his mind ten years ago about it. But he changed his mind at the last minute and instead celebrated Code Red with a big splash in Canada for all his AV friends, treating them to caneton a l’orange and champagne.

  9. bible study

    I’d been very pleased to find this website.I need to to thank you for this brilliant read!! I definitely enjoying every part of it and I maybe you have bookmarked to see new items you post.

Comments are closed.