TrendMicro hole gives attackers the keys to affected PCs

A recent version of TrendMicro Antivirus contained a serious security vulnerability that would let a remote attacker run arbitrary commands on the target system and steal users' passwords. The now-patched flaw was present in the software's password management component and was discovered by security researcher Tavis Ormandy of Google Project Zero.

After installing TrendMicro Antivirus, Ormandy noticed that the software was listening on a few network ports for no apparent reason. After some investigation, he discovered that the password management component fires up a web server which exposes utility APIs to the internet. According to Ormandy, it took him "about 30 seconds to spot one that permits arbitrary command execution."

The researcher provided a proof-of-concept page that would uninstall the TrendMicro software from a test system. He noted that an attacker could silently exploit the bug, as TrendMicro adds its own self-signed certificate to the system, meaning a victim wouldn't see any security alerts. Adding insult to TrendMicro's injury, he then found out that additional vulnerabilities in the way the password manager handled management commands originating from TrendMicro's servers. These vulnerabilities could let an attacker steal the user's stored passwords, even if they were encrypted.

TrendMicro has since patched its software to ensure that any remote requests to the password manager come from the company's own servers. Details on the bug have since then been made public, as part of Project Zero's responsible disclosure policy.

Comments closed
    • synthtel2
    • 4 years ago

    So much WTF here. I still don’t understand why they feel the need to be running a server like that, and the origin check they put in as a “fix” isn’t exactly foolproof. For an example, see post #31 in the thread linked in OP (by slek…@google.com) (I’m not quoting it in case of someone trying to run damage control on stuff).

    If true (I have no idea), they still need to be in crunch mode getting a more solid fix out the door… or, if they were taking their job seriously at all, JUST DISABLE THE SERVER ALREADY, AND ONLY BRING IT BACK AFTER GETTING A CLUE (which probably means not at all).

    For being a purported security company (read that either way), they sure seem to be terrible at it.

    • BlackDove
    • 4 years ago

    Thats why i say a lot of antiviruses are worse than useless.

    • TheMonkeyKing
    • 4 years ago

    Oh yes, that is exactly what I want from any application of mine. As soon as I install it, it manages to run the login interface on a web API. That is exactly what I want because any antivirus program should be able to run my damn login account administration from a remote location as a default.

    Jeebus, who really writes this stuff?

    • UberGerbil
    • 4 years ago

    The facepalm is strong in this one.

      • Bobs_Your_Uncle
      • 4 years ago

      Tactical Facepalm: [i<]For those times when a regular facepalm just doesn't cut it![/i<] [url<]http://media.indiedb.com/images/members/3/2312/2311677/Tactical_Facepalm.jpg[/url<]

        • UberGerbil
        • 4 years ago

        Yeah, we’ve escalated past this [url<]http://i.imgur.com/Uybx5G4.png[/url<] to this [url<]http://i.imgur.com/CxFpnpa.jpg[/url<]

      • DoomGuy64
      • 4 years ago

      This isn’t the first AV to be caught doing this either. Makes one wonder if there is some gov. mandated backdoor initiative that they are complying with. Ever since Avast screwed up my TCP/IP settings, I’ve avoided using any overly complex AV programs. There’s no need to hijack all my internet traffic into a single threaded app.

        • UberGerbil
        • 4 years ago

        While I understand the suspicion, this smells like Hanlon’s Razor to me.

        • BlackDove
        • 4 years ago

        Especially when they dont use ASLR or other exploit mitigations on all their files.

        Malwarebytes and microsoft are pretty good about this.

Pin It on Pinterest

Share This