Bitdefender and Trend Micro security software patched after multiple critical vulnerabilities exposed

In the past ten days, Trend Micro and Bitdefender have released blog posts urging customers to update their security software due to Local Privilege Escalation and Man-In-The-Middle (MITM) vulnerabilities, respectively [h/t Heise]. There are six related CVEs listed on their sites, five relating to Bitdefender Total Security and one for Trend Micro Deep Security Agent, and all advise updating to more recent releases. Bitdefender Total Security users are advised to be on product version 27.025.115 or newer, attainable through auto-update, and Trend Micro Deep Security Agent users are advised to update to or download product version 20.0.1-17380.

Of the two companies, Bitdefender seems to have had to patch more vulnerabilities than Trend Micro, though all five are targeted at MITM vulnerabilities in some way. Man In The Middle vulnerabilities allow for the interception and alteration of communications between users and given sites, allowing false pages and certificates to appear legitimate.

Bitdefender’s HTTPS scanning functionality was failing to verify certificates across five key scenarios properly: certificates lacking “Server Authentication” specs in Extended Key Usage extensions, incorrect checks of site certificates using MD5 and SHA1 collision hash functions, trust of unauthorized entities who exploit the “Basic Constraints” certificate extension, and improper trust of both certificates using the DSA signature algorithm and self-signed certificates, in general.

That said, Local Privilege Escalation is also quite a major cybersecurity issue, even if Trend Micro is addressing just one relevant vulnerability. Local Privilege Escalation refers to standard users gaining admin or system-level access, and Trend Micro’s gap came about as a result of insufficient authentication controls, which doesn’t sound like a great issue for software called Deep Security Agent.

Fortunately, the related issues have already been addressed in their respective software updates and these problems shouldn’t impact Bitdefender or Trend Micro customers anymore. However, it is noteworthy that, unlike many cyberattacks which find other vectors of infection, these vulnerabilities were all found within existing security software installed specifically on systems trying to avoid attacks like these. Sometimes, less is more — though of course, the applicability of that mentality can vary greatly depending on your industry.