Trend Micro security software made passwords vulnerable, allowed remote code execution

Google security researcher Tavis Ormandy is on a mission. A couple of weeks ago, he caught AVG circumventing Chrome’s malware checks in order to reroute search results. This week, he reported that Trend Micro’s Password Manager software exposed passwords and opened a door to potential malicious code attacks.

The anti-malware company sells Trend Micro Security 10, a consumer suite for Windows. The first two tiers bundle Password Manager, also available as a stand-alone download.

Ormandy found that Password Manager was apparently designed without much thought to security. Here’s how he described the remote code execution vulnerabilities:

This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().

This means any website can launch arbitrary commands, like this:

x = new XMLHttpRequest()
x.open("GET", "https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true); try { x.send(); } catch (e) {};

Two days after first reporting the issue to Trend Micro, Ormandy wrote again to the company, asserting that all stored passwords were exposed:

I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?

So this means, anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I'm astonished about this.

To get a sense of the urgency and details, the Google Project Zero thread makes for interesting reading. Ormandy first reported the issues to the security company a little over a week ago, and Trend Micro has since issued a fix, as of yesterday.

Another password manager had a recent scare. In June, LastPass reported a hack that compromised account email addresses and other data, but didn't expose encrypted passwords.

Source: Google Security Research via Ars Technica
Original micro-circuit with code image via Shutterstock

Report a problem with article
Next Article

Microsoft acquires technology assets from Event Zero to boost Skype for Business offering

Previous Article

Microsoft announces Envision, "new flagship event for business leaders and decision makers"

9 Comments - Add comment

Advertisement