Trend Micro Password Manager could have exposed all of your passwords to hackers
People turn to security tools to, obviously, improve security. Antivirus tools take care of malware, firewalls manage network and internet traffic, encryption keep files private, and password managers keep passwords safe. At least that's the idea.
Google security engineer Tavis Ormandy discovered a vulnerability in Trend Micro Password Manager (part of Trend Micro Antivirus) which allowed for the remote execution of code and, opened up the possibility for passwords to be stolen. Ormandy posted details of the security problem to the Google Security Research newsgroup, and the clock started ticking on a 90-day full disclosure deadline.
In his post, Ormandy points out that "this product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands". He goes on to point out, with a hint of sarcasm, that "Trend Micro helpfully adds a self-signed https certificate for localhost to the trust store, so you don't need to click through any security errors".
His warning is stark:
[...]anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I'm astonished about this.
The conversation over on the Google Security Research newsgroup makes for interesting reading, as it exposes how the bug discovery program works. Ormandy pointed out one of Trend Micro's APIs called on an 'ancient' build of Chromium (41):
I spent a few minutes trying to understand how the SB shell worked, and then realized they were just hiding the global objects. I sent this annoyed follow up:
"This thing is ridiculous, wtf is this:
https://localhost:49155/api/showSB?url=javascript:alert(topWindow.require("child_process").spawnSync("calc.exe"))
You were just hiding the global objects and invoking a browser shell...? ...and then calling it "Secure Browser"?!? The fact that you also run an old version with --disable-sandbox just adds insult to injury.
I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?
You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control.
Please confirm you understand this report."
Trend Micro customer support very quickly connected with Ormandy and started to work with him with a view to developing a fix. The company has now patched the problem, pushing out a mandatory update to users. In a post on the company's blog, Christopher Budd says:
It’s important to note that for Trend Micro Password Manager, ActiveUpdates cannot be turned off which means that all current Trend Micro Password Manager customers get all updates provided through ActiveUpdate. For all intents and purposes, the reported critical vulnerabilities affect an old, no-longer available version of Trend Micro Password Manager.
Photo credit: Brian A Jackson / Shutterstock