Antivirus vendor Trend Micro patched its anti-virus offering after being told off by a respected Google security researcher about the severity of the vulnerability. The security flaw allowed the execution of malicious code and passwords stored on the Password Manager component of the Trend Micro antivirus product. The issue was flagged by the researcher, Tavis Ormandy, who became frustrated with the vendor’s sluggish response.
Ormandy documented his email exchange with TrendMicro, one of which involved him lambasting the company:
“I don’t even know what to say – how could you enable this thing [Password Manager] *by default* on all your customer machines without getting an audit from a competent security consultant?
You need to come up with a plan for fixing this right now. Frankly, it also looks like you’re exposing all the stored passwords to the internet, but let’s worry about that screw up after you get the remote code execution under control.
He even offered some recommendations:
“In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course.”
Finally, Trend Micro responded by confirming it will be issuing an emergency product update to customers to patch the vulnerability. Ormandy acknowledged that the patch fixes a major part of the issue but remained concerned that the Password Manager will continue to be a point of entry for attackers to exploit.