Trend Micro Flaw Exposes Passwords of All Their Customers

Posted on the 12 January 2016 by Tftb @TFTB

Last week it was AVG with a security vulnerability in their Chrome extension WebTuneUp, this time it is Trend Micro with their desktop installation. The first thing to do while you read this article is, update your Trend Micro Security Suite immediately.

Google Security researcher Tavis Ormandy works very hard to keep the internet a safe place to live. One of the researcher with the Google's Project Zero team published a security flaw with Trend Micro which could potentially expose all the passwords saved on the computer within the Trend Micro's password manager.

A password manager tool is installed and enabled by default when Trend Micro Antivirus is installed for the first time. Not only it is enabled but it runs with the system when you turn it on and even asks you to import all your passwords from your browser in it. This means all your passwords entered after you turn on your computer are saved in the password manager and then some which are already stored in the system.

Trend Micro built this password manager using JavaScript and Node.js and it creates a local server on the user's system to run itself.

It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute().

After the initial report last week, Trend Micro responded to it immediately and released a quick-fix to solve this problem and fix a major vulnerability which could potentially leak all the passwords from a victim's computer without them knowing it is happening right under the nose of their trusted antivirus installed on their system. Despite taking more than 2 days to fix such a huge exploitable issue it wasn't done properly. It still more more than 70 exposed APIs which could potentially be exploited by an attacker.

I'm still concerned that this component exposes nearly 70 API's (!!!!) to the internet, most of which sound pretty scary. I tell them I'm not going to through them, but that they need to hire a professional security consultant to audit it urgently.

I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?

You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control.

On spending more time on the exploits, Tavis realised there is more to it than it seems. The password manager seemed like an open book on the internet for anyone to read. This exploit opened it for anyone steal all the passwords completely silently and also can execute any code without the user interaction to it. This meant any attacker could just run a malicious code on the infected system through the password manager as soon as the system is turned on and connected to the internet.

Tavis even suggested them to stop installing it by default till its fixed and for their installed users, they should disable the feature and apologize for it while they fix it.

Trend Micro finally woke up and realised the gravity of the situation and issue an update and a temporary built for Tavis to test, they also went ahead explaining what exactly they are working on.

Please note, we are still assessing the best way to address the sandbox function, and are considering temporarily disabling it in a future build - however, since we are still assessing the impact on other core functions of the product, we have left it intact for now.

Finally, 6 days later Trend Micro added an origin check for all the commands and whitelisted the pwn.trendmicro.com domain. This was a satisfactory patch for Tavis which he thinks has fixed the potentially vulnerable exploits to the password manager.

Trend Micro celebrated their 25th anniversary in 2013 and have prestigious awards under their belt, #1 Content Security for Small Business, #1 Global Cloud Security Market and even have won back-to-back awards for being leaders in Server Security. The way they handled this password manager exploit does not resonate the same nor is it expected from such an established security firm.

Project Zero was started by Google in July 2014 with an objective to reduce the number of cyber attacks to people and make internet safer. In past Project Zero has exposed various vulnerabilities in many security products like Kaspersky Lab and AVG.
You can readthe thread created by Tavis which is now public and open for anyone to read.