Trend Micro has pulled the Privacy Browser from its Dr Safety Android security suite following the discovery of a reoccurring flaw that could be abused to trick people into thinking malicious pages were legit.
Security consultant Dhiraj Mishra discovered and privately reported the vulnerability to the software maker in April. Trend responded by pulling the app from its Android security suite.
The bug, we're told, could be exploited by a miscreant to alter the address bar on pages viewed in the privacy browser, opening up a whole host of hacking opportunities. For instance, a page designed to phish bank account login details could rewrite the URL bar to show the bank's domain name rather than whatever URL was used to host the credential-grabbing page.
Mishra told The Register on Thursday the same-origin policy flaw would be fairly easy to exploit. More than 10 million people have downloaded the application.
"There is no way of determining if the URL is authentic or not due to which this could result in capturing sensitive information such as username passwords. Additionally, along with address bar spoofing, attackers could also spoof SSL which makes the attack more difficult to determine the authenticity of the URL."
Microsoft blocks Trend Micro code at center of driver 'cheatware' storm from Windows 10, rootkit detector product pulled from siteREAD MORE
The vulnerability, CVE-2018-18334, was confirmed by Trend Micro, which said that for now it is opting to disable the browser outright rather than try to patch the bug.
"We had a low severity security issue reported to us under responsible disclosure and we decided to remove the component from our free Android App," Trend told El Reg.
"We are currently evaluating whether or not the issue can be appropriately mitigated while still retaining its desired functionality before deciding whether or not to add the browser back at a later time."
Mishra noted this is not the first time Trend has dealt with this security issue, hence the 2018 CVE assignment. The security vendor first tried to patch the vulnerability in Dr Safety back in January of last year, yet this year Mishra spotted multiple address bar spoofing bugs of the same type found that hadn't been fixed. This would help to explain why Trend opted to just cut out the secure browser rather than try to issue a fix for the bug.
While not a massive security issue on its own or a crippling blow to the Dr Suite – the browser is only one of many bits of security software in the application – the bug and subsequent removal of the browser is not exactly a welcome development for Trend Micro.
Less than a month ago, Trend Micro pulled offline another of its products, the free Rootkit Buster tool for Windows. Though Trend Micro said the tool was removed due to an unidentified security issue, it was discovered a driver within the software mysteriously altered the way it allocated memory in order to pass Microsoft's quality certification tests when it detected it was under examination.
Trend denied the driver was intentionally trying to cheat the Microsoft certification tests, though it did not explain why the test-detection code was present. ®