Distributed with
Thinkstock typing laptop

Technology

Vulnerabilities in Trend Micro password manager threaten user security

A researcher at Google’s Project Zero discovered serious flaws in anti-virus provider Trend Micro’s password management software that allowed for remote attack execution and theft of login credentials.

Thinkstock typing laptop

A built-in part of security provider Trend Micro’s anti-virus software contained several security holes that could allow attackers to remotely execute attacks and steal passwords used by consumers across several sites and applications.

Google Project Zero researcher Tavis Ormandy discovered several vulnerabilities in Trend Micro’s software, beginning with a flaw in the Password Manager tool that the firm installs as a default for its users.

Ormandy found that the Password Manager has multiple HTTP remote procedure call ports to deal with API requests built using JavaScript and node.js.

Upon starting a local web server to listen for API commands without using a whitelist or same origin policy, Ormandy found that it only took him “about 30 seconds to spot” an API command permitting arbitrary command execution, allowing malicious hackers to instigate a remote attack.

Ormandy said despite Trend Micro’s initial fix efforts, the product exposed close to 70 API calls to the internet.

The code also allowed attackers to steal all passwords stored in users’ browsers, including encrypted passwords.

“Anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction,” Ormandy told Trend Micro via email.

“I really hope the gravity of this is clear to you, because I’m astonished about this,” he said to the firm.

Trend Micro later added an origin check for commands and whitelisted the pwm.trendmicro.com domain, which Ormandy says should work as long as the domain is not vulnerable to cross-site scripting flaws.

Ormandy was also quick to chastise the firm after discovering a second flaw with the security provider’s anti-virus software.

“TrendMicro helpfully adds a self-signed https certificate for localhost to the trust store, so you don’t need to click through any security errors,” he said.

A spokesperson for Trend Micro said the firm is working with the researcher to identify and address all vulnerabilities and that customers will receive protection through automatic updates.

Dell raised eyebrows in November last year when it was revealed that some of its models pre-installed self-signed root certificates, leaving machines vulnerable to adware and malware.

Ormandy has worked with Project Zero for several years examining vulnerabilities in security products such as Kaspersky Lab, AVG and FireEye. His interactions with the Trend Micro team on this issue can be found on Project Zero’s project site.


TEISS banner