Connect with us

Hi, what are you looking for?


Application Security

Google Researcher Finds RCE Flaws in Trend Micro Product

Trend Micro Patches Password Manager Vulnerabilities Reported by Google Researcher 

Trend Micro has rolled out updates to patch easy-to-exploit vulnerabilities found by a Google Project Zero researcher in one of the security firm’s products.

Trend Micro Patches Password Manager Vulnerabilities Reported by Google Researcher 

Trend Micro has rolled out updates to patch easy-to-exploit vulnerabilities found by a Google Project Zero researcher in one of the security firm’s products.

On January 5, Google researcher Tavis Ormandy informed Trend Micro that he had identified a critical flaw in Password Manager, a component installed by default with Trend Micro’s Premium Security and Maximum Security home products.

Ormandy found that Password Manager, which is primarily written in JavaScript with Node.js, opens multiple HTTP RPC ports for handling API requests.

The experts said it only took him 30 seconds to identify an API that could be leveraged for remote code execution (RCE). An attacker simply needed to get the victim to visit a malicious website in order to execute commands on the host with the user’s privileges.

The Google researcher also noted that it was possible to bypass Internet Explorer’s Mark of the Web (MOTW) security feature and execute commands without the victim getting any prompts.

The proof-of-concept (PoC) submitted to Trend Micro abused the openUrlInDefaultBrowser API, but the expert raised concerns over the fact that Password Manager exposed nearly 70 APIs to the Internet. Ormandy hasn’t checked all the APIs, but he did notice nearly a dozen that were potentially dangerous.

Advertisement. Scroll to continue reading.

The researcher also discovered that one of the APIs, exportBrowserPasswords, could have been leveraged by an attacker to force users to export their browser passwords to the password manager, and a different API allowed access to passwords stored in the Trend Micro product.

Ormandy said a malicious actor might have been able to steal user passwords silently and without any interaction from the victim, but Trend Micro argued that it would not have been easy to decrypt the encrypted passwords.

Trend Micro pushed out a patch to address the vulnerabilities on Monday and Ormandy has confirmed that the fix resolves the issues. The researcher has advised the security firm to hire external security consultants to audit the password manager’s code.

Trend Micro representatives told the Google expert that their product team has been reviewing the source code of the exposed APIs to ensure that no remote action is allowed.

Ormandy has analyzed the products of several security companies over the past period. He identified serious vulnerabilities in software from Kaspersky Lab, AVG, FireEye, Avast and others.

In September, the expert warned that flaws in security products can considerably increase exposure to targeted attacks.

“We have strong evidence that an active black market trade in antivirus exploits exists. Research shows that it’s an easily accessible attack surface that dramatically increases exposure to targeted attacks,” Ormandy said at the time. “For this reason, the vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.”

Related Reading: Critical Flaw Found in AVG, McAfee, Kaspersky Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.