Vuln in Trend Micro Antivirus for Windows allows 'anyone' to read stored passwords

Flaw found by Google researcher allows attackers to access data in solution's password manager

Tags: Google IncorporatedTrend Micro Incorporated
  • E-Mail
Vuln in Trend Micro Antivirus for Windows allows 'anyone' to read stored passwords The Google researcher lambasted Trend Micro for enabling the flawed password manager by default
By  Tom Paye Published  January 13, 2016

A critical vulnerability that could allow an attacker to access passwords has been found in Trend Micro Antivirus for Windows, according to a researcher with Google's Project Zero team.

Travis Ormandy last week publicly disclosed the vulnerability, which he said took him 30 seconds to find. The flaw, he said, could allow an attacker to access data held within the antivirus' built-in password manager.

"When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup," he wrote.

"This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands."

The real problem, Ormandy said, was that the password manager was turned on by default, but the vulnerability would even affect users who had never launched it. He said that he had found a "nice clean" API for accessing passwords stored in the password manager, "so anyone can just read all of the stored passwords".

"I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" he quoted himself as saying in an email chain between himself and Trend Micro.

"You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code