Trend Micro Patches Anti-Virus Product After Being Blasted By Google Researcher

Antivirus vendor Trend Micro patched its anti-virus offering after being told off by a respected Google security researcher about the severity of the vulnerability. The security flaw allowed the execution of malicious code and passwords stored on the Password Manager component of the Trend Micro antivirus product. The issue was flagged by the researcher, Tavis Ormandy, who became frustrated with the vendor’s sluggish response.

When Trend Micro is installed on Windows machines, the Javascript-based Password Manager program is installed as well and automatically launches on startup. Ormandy noticed that the program permitted arbitrary command execution which could be exploited by attackers to deliver malicious code and exposed the passwords of users. The researcher flagged the issue to Trend Micro and after a series of back-and-forth exchanges, Ormandy saw that the vendor wasn’t acting on the issue fast enough, despite the severity of the vulnerability.

Ormandy documented his email exchange with TrendMicro, one of which involved him lambasting the company:

“I don’t even know what to say – how could you enable this thing [Password Manager] *by default* on all your customer machines without getting an audit from a competent security consultant?
 
You need to come up with a plan for fixing this right now. Frankly, it also looks like you’re exposing all the stored passwords to the internet, but let’s worry about that screw up after you get the remote code execution under control.

He even offered some recommendations:

“In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course.”

Finally, Trend Micro responded by confirming it will be issuing an emergency product update to customers to patch the vulnerability. Ormandy acknowledged that the patch fixes a major part of the issue but remained concerned that the Password Manager will continue to be a point of entry for attackers to exploit.

[Via Google Security Research, Ars Technica]


The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.

Comments


2 responses to “Trend Micro Patches Anti-Virus Product After Being Blasted By Google Researcher”