A recent version of TrendMicro Antivirus contained a serious security vulnerability that would let a remote attacker run arbitrary commands on the target system and steal users' passwords. The now-patched flaw was present in the software's password management component and was discovered by security researcher Tavis Ormandy of Google Project Zero.
After installing TrendMicro Antivirus, Ormandy noticed that the software was listening on a few network ports for no apparent reason. After some investigation, he discovered that the password management component fires up a web server which exposes utility APIs to the internet. According to Ormandy, it took him "about 30 seconds to spot one that permits arbitrary command execution."
The researcher provided a proof-of-concept page that would uninstall the TrendMicro software from a test system. He noted that an attacker could silently exploit the bug, as TrendMicro adds its own self-signed certificate to the system, meaning a victim wouldn't see any security alerts. Adding insult to TrendMicro's injury, he then found out that additional vulnerabilities in the way the password manager handled management commands originating from TrendMicro's servers. These vulnerabilities could let an attacker steal the user's stored passwords, even if they were encrypted.
TrendMicro has since patched its software to ensure that any remote requests to the password manager come from the company's own servers. Details on the bug have since then been made public, as part of Project Zero's responsible disclosure policy.
|1. BIF - $340||2. Ryu Connor - $250||3. mbutrovich - $250|
|4. YetAnotherGeek2 - $200||5. End User - $150||6. Captain Ned - $100|
|7. Anonymous Gerbil - $100||8. Bill Door - $100||9. ericfulmer - $100|
|10. dkanter - $100|
|Zotac and Thermaltake join forces for a liquid-cooled GTX 1080||3|
|Xiaomi reveals Mi Mix phone with a 6.4" edgeless display||8|
|Zotac Magnus EN1080 may be the fastest mini-PC yet||14|
|Seagate 5TB BarraCuda and 2TB FireCuda drives are big and speedy||22|
|Nvidia licenses Rambus' DPA tech for side-channel data leak prevention||17|
|iOS 10.1 update includes portrait mode beta for iPhone 7 Plus||6|
|Lenovo ThinkCentre and ThinkPad machines pack AMD PRO APUs||27|
|Biostar belatedly announces GTX 1060 graphics cards||15|
|HyperX Alloy keyboard gets lean and mean for FPS gaming||11|
|Signing your posts is daftly redundant. Meadows||+27|