Trend Micro patched several critical flaws in Password Manager that were discovered by a Google Project Zero researcher. The vulnerabilities allowed hackers to execute malicious code and view contents of a password manager built in to the malware protection program and steal passwords.
“It took about 30 seconds to spot one that permits arbitrary command execution,” researcher Tavis Ormandy wrote in a bug report. “This means any website can launch arbitrary commands”.
He discovered that the password tool, which was written in JavaScript and Node.js, opened multiple HTTP ports but did not create a whitelist to handle API commands.
“Tavis brought us a report of a possible vulnerability in ‘Trend Micro Password Manager,' one of our consumer value-add products," wrote Trend Micro's global threat communications manager Christopher Budd, in an email obtained by SCMagazine.com. “As part of our standard vulnerability response process we worked with him to identify and address the vulnerability. Customers are now getting protections through automatic download updates.”
“It's important to note that for Trend Micro Password Manager, ActiveUpdates cannot be turned off which means that all current Trend Micro Password Manager customers get all updates provided through ActiveUpdate,” wrote Budd, in a Trend Micro blog post.“That is the most ridiculous thing I've ever seen,” Ormandy wrote during his lengthy exchange with Trend Micro, describing the vulnerabilities. In another email to the company, the researcher wrote, “I noticed that there is a nice clean API for accessing passwords stored in the password manager, so anyone can just read all of the stored passwords”.
Last month, Ormandy identified a vulnerability that forcibly installs the Chrome extension AVG Web TuneUp when users install the AVG antivirus software and he one of the researchers who found a critical vulnerability in FireEye network security devices earlier the same month.
