Home / / Vuln in Trend Micro Antivirus for Windows allows 'anyone' to read stored passwords

Vuln in Trend Micro Antivirus for Windows allows 'anyone' to read stored passwords

Flaw found by Google researcher allows attackers to access data in solution's password manager

Vuln in Trend Micro Antivirus for Windows allows 'anyone' to read stored passwords
The Google researcher lambasted Trend Micro for enabling the flawed password manager by default

A critical vulnerability that could allow an attacker to access passwords has been found in Trend Micro Antivirus for Windows, according to a researcher with Google's Project Zero team.

Travis Ormandy last week publicly disclosed the vulnerability, which he said took him 30 seconds to find. The flaw, he said, could allow an attacker to access data held within the antivirus' built-in password manager.

"When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup," he wrote.

"This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands."

The real problem, Ormandy said, was that the password manager was turned on by default, but the vulnerability would even affect users who had never launched it. He said that he had found a "nice clean" API for accessing passwords stored in the password manager, "so anyone can just read all of the stored passwords".

"I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" he quoted himself as saying in an email chain between himself and Trend Micro.

"You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.