The release of a security report from Google has revealed major issues with Trend Micro's security software which have opened its users up to remote code execution and password theft from its supposedly 'secure' internal storage.
Reported to Trend Micro earlier this month, the flaws spotted by Google's security research team
are far-reaching. When installed, the company's anti-virus software suite adds a package for the 'secure' management of usernames and passwords. This launches with Window's startup, and does a little more than simply offer to store your passwords: it opens various network ports which link to a wealth of application programming interfaces (APIs).
Initially, the issue was believed to be restricted to remote code execution: any remote attacker could download and execute arbitrary code on a system 'protected' by Trend Micro, without user interaction. That's a serious problem, but further investigation revealed that even with this issue fixed the Trend Micro Password Manager is unfit for purpose: any remote attacker is able to request a dump of all passwords and usernames stored within the Password Manager, again without user interaction.
'This component exposes nearly 70 API's (!!!!) to the internet, most of which sound pretty scary. I tell them I'm not going to through them, but that they need to hire a professional security consultant to audit it urgently,
' Google's Tavis Ormandy explained of his reports to Trend Micro, before finding yet another flaw which simply added insult to injury: 'I happened to notice that the /api/showSB endpoint will spawn an ancient build of Chromium (version 41) with --disable-sandbox. To add insult to injury, they append "(Secure Browser)" to the UserAgent. I sent a mail saying "That is the most ridiculous thing I've ever seen".
'In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code,
' Ormandy told Trend Micro. 'In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course.
While Trend Micro has modified its software to check that requests are coming from its own domain - which may or may not resolve the issues, depending on whether the company's website has cross-site scripting (XSS) flaws - it has not yet warned its customers of the rampant issues, nor taken Ormandy's advice and programmatically disabled the Trend Micro Password Manager until it can audit the software for further flaws.