TrendMicro hole gives attackers the keys to affected PCs

— 9:40 AM on January 13, 2016

A recent version of TrendMicro Antivirus contained a serious security vulnerability that would let a remote attacker run arbitrary commands on the target system and steal users' passwords. The now-patched flaw was present in the software's password management component and was discovered by security researcher Tavis Ormandy of Google Project Zero.

After installing TrendMicro Antivirus, Ormandy noticed that the software was listening on a few network ports for no apparent reason. After some investigation, he discovered that the password management component fires up a web server which exposes utility APIs to the internet. According to Ormandy, it took him "about 30 seconds to spot one that permits arbitrary command execution."

The researcher provided a proof-of-concept page that would uninstall the TrendMicro software from a test system. He noted that an attacker could silently exploit the bug, as TrendMicro adds its own self-signed certificate to the system, meaning a victim wouldn't see any security alerts. Adding insult to TrendMicro's injury, he then found out that additional vulnerabilities in the way the password manager handled management commands originating from TrendMicro's servers. These vulnerabilities could let an attacker steal the user's stored passwords, even if they were encrypted.

TrendMicro has since patched its software to ensure that any remote requests to the password manager come from the company's own servers. Details on the bug have since then been made public, as part of Project Zero's responsible disclosure policy.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.