Vuln in Trend Micro Antivirus for Windows allows 'anyone' to read stored passwords
Flaw found by Google researcher allows attackers to access data in solution's password manager
A critical vulnerability that could allow an attacker to access passwords has been found in Trend Micro Antivirus for Windows, according to a researcher with Google's Project Zero team.
Travis Ormandy last week publicly disclosed the vulnerability, which he said took him 30 seconds to find. The flaw, he said, could allow an attacker to access data held within the antivirus' built-in password manager.
"When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup," he wrote.
The real problem, Ormandy said, was that the password manager was turned on by default, but the vulnerability would even affect users who had never launched it. He said that he had found a "nice clean" API for accessing passwords stored in the password manager, "so anyone can just read all of the stored passwords".
"I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" he quoted himself as saying in an email chain between himself and Trend Micro.
"You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."