Trend Micro Patches Password-Leaking Software Flaw

Trend Micro has patched a flaw in its antivirus software that potentially put PCs at risk of being hijacked by criminals.

A vulnerability uncovered by Google security researcher Tavis Ormandy, who found that the Password Manager tool bundled with the software was installed with a major JavaScript flaw included.

This could allow hackers to access the software and take control of it in a matter of seconds, giving them the ability to execute commands and launch programs on unsuspecting users’ PC, as well as potentially giving access to all saved passwords stored with Password Manager on the machine.

This was displayed by one user hacking into the Calculator program bundled with Windows to take over a user’s PC (pictured below).

At risk

“This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests,” Ormandy’s blog noted. “It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands.

“I don’t even know what to say – how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?”

Following the publication of his blog on Google’s security research site, Ormandy confirmed he had been contacted by Trend Micro, which thanked him for pointing out the flaw.

The company says it has now fixed the problem, and is has updated Password Manager in a patch to remove ShellExecute as part of the software.

“The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers,” a Trend Micro statement said. “As part of our standard investigation we checked and verified that the only product affected by these issues is our consumer Trend Micro Password Manager and no commercial or enterprise products are affected.”

“We responded quickly to the initial report and worked with Tavis throughout the process to understand the issue and address them. Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week. We are not aware of any active attacks against these vulnerabilities in that time.”

Are you a security pro? Try our quiz!

Mike Moore

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

3 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

4 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

5 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

7 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

9 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

10 hours ago