Recent discoveries have uncovered significant security vulnerabilities in antivirus software from Bitdefender and Trend Micro, potentially endangering systems worldwide. These vulnerabilities were identified during an examination of the software’s security features and highlight the necessity for timely installation of security updates by administrators to prevent malicious attacks.

Bitdefender Total Security Flaws

The vulnerabilities in Bitdefender Total Security are concerning mainly due to the HTTPS scanning function. This feature fails in proper certificate verification, allowing attackers to insert themselves into internet connections as 'man-in-the-middle', thereby intercepting data exchanged between a target user and websites. The developers at Bitdefender have detailed several high-severity vulnerabilities in advisories, too: with CVE identifiers CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, and CVE-2023-6057.

The resolution for these vulnerabilities is included in the automatic update to Total Security Version 27.0.25.11. Although the specific details of any current attacks or the identification of affected systems remain unclear, administrators are urged to promptly update their systems to eliminate the risk. Moreover, it is not specified which operating systems are vulnerable, adding to the urgency for users to ensure their software is up to date.

Threats from Trend Micro’s Deep Security Agent

Users of Trend Micro’s Deep Security Agent on Windows systems are also at risk if they do not upgrade to version 20.0.1-17380 (20 LTS Update 2024-08-21). According to Trend Micro's notice, a high-severity vulnerability identified as CVE-2024-48903 could lead to unauthorized privilege escalation. An attacker exploiting this flaw requires low-level user privileges to gain higher access rights due to insufficient control over authentication processes. Therefore, it is crucial for users to apply the update to prevent exploitation of this vulnerability.

The discovery of these vulnerabilities serves as a stark reminder of the importance of maintaining updated cybersecurity defenses in a constantly evolving threat landscape.

For more insights, the original reporting can be found at heise Security