Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Researcher Finds RCE Flaws in Trend Micro Product

Trend Micro Patches Password Manager Vulnerabilities Reported by Google Researcher 

Trend Micro has rolled out updates to patch easy-to-exploit vulnerabilities found by a Google Project Zero researcher in one of the security firm’s products.

Trend Micro Patches Password Manager Vulnerabilities Reported by Google Researcher 

Trend Micro has rolled out updates to patch easy-to-exploit vulnerabilities found by a Google Project Zero researcher in one of the security firm’s products.

On January 5, Google researcher Tavis Ormandy informed Trend Micro that he had identified a critical flaw in Password Manager, a component installed by default with Trend Micro’s Premium Security and Maximum Security home products.

Ormandy found that Password Manager, which is primarily written in JavaScript with Node.js, opens multiple HTTP RPC ports for handling API requests.

The experts said it only took him 30 seconds to identify an API that could be leveraged for remote code execution (RCE). An attacker simply needed to get the victim to visit a malicious website in order to execute commands on the host with the user’s privileges.

The Google researcher also noted that it was possible to bypass Internet Explorer’s Mark of the Web (MOTW) security feature and execute commands without the victim getting any prompts.

The proof-of-concept (PoC) submitted to Trend Micro abused the openUrlInDefaultBrowser API, but the expert raised concerns over the fact that Password Manager exposed nearly 70 APIs to the Internet. Ormandy hasn’t checked all the APIs, but he did notice nearly a dozen that were potentially dangerous.

The researcher also discovered that one of the APIs, exportBrowserPasswords, could have been leveraged by an attacker to force users to export their browser passwords to the password manager, and a different API allowed access to passwords stored in the Trend Micro product.

Ormandy said a malicious actor might have been able to steal user passwords silently and without any interaction from the victim, but Trend Micro argued that it would not have been easy to decrypt the encrypted passwords.

Trend Micro pushed out a patch to address the vulnerabilities on Monday and Ormandy has confirmed that the fix resolves the issues. The researcher has advised the security firm to hire external security consultants to audit the password manager’s code.

Trend Micro representatives told the Google expert that their product team has been reviewing the source code of the exposed APIs to ensure that no remote action is allowed.

Ormandy has analyzed the products of several security companies over the past period. He identified serious vulnerabilities in software from Kaspersky Lab, AVG, FireEye, Avast and others.

In September, the expert warned that flaws in security products can considerably increase exposure to targeted attacks.

“We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks,” Ormandy said at the time. “For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.”

Related Reading: Critical Flaw Found in AVG, McAfee, Kaspersky Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Application security startup ArmorCode today announced that it has received $8 million in additional seed funding, which brings the total raised by the company...