Antivirus vendor Trend Micro patched its anti-virus offering after being told off by a respected Google security researcher about the severity of the vulnerability. The security flaw allowed the execution of malicious code and passwords stored on the Password Manager component of the Trend Micro antivirus product. The issue was flagged by the researcher, Tavis Ormandy, who became frustrated with the vendor’s sluggish response.
When Trend Micro is installed on Windows machines, the Javascript-based Password Manager program is installed as well and automatically launches on startup. Ormandy noticed that the program permitted arbitrary command execution which could be exploited by attackers to deliver malicious code and exposed the passwords of users. The researcher flagged the issue to Trend Micro and after a series of back-and-forth exchanges, Ormandy saw that the vendor wasn’t acting on the issue fast enough, despite the severity of the vulnerability.
Ormandy documented his email exchange with TrendMicro, one of which involved him lambasting the company:
“I don’t even know what to say – how could you enable this thing [Password Manager] *by default* on all your customer machines without getting an audit from a competent security consultant?
You need to come up with a plan for fixing this right now. Frankly, it also looks like you’re exposing all the stored passwords to the internet, but let’s worry about that screw up after you get the remote code execution under control.
He even offered some recommendations:
“In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course.”
Finally, Trend Micro responded by confirming it will be issuing an emergency product update to customers to patch the vulnerability. Ormandy acknowledged that the patch fixes a major part of the issue but remained concerned that the Password Manager will continue to be a point of entry for attackers to exploit.
Comments
2 responses to “Trend Micro Patches Anti-Virus Product After Being Blasted By Google Researcher”
Why does an AV need to be a password manager as well?
Doesn’t need to be, but lets them market it as having it/more.
Probably something marketing came up with and didn’t give the programmers much time to implement. (not an excuse imo)