Google Researcher Chews Out Trend Micro for Security Vulnerability

A Google researcher recently discovered that a password manager application installed by default for customers with Trend Micro's anti-virus software for Windows had an exploitable vulnerability that could have exposed all of a user's stored passwords to hackers. Trend Micro quickly patched the problem after receiving a tongue-lashing from Google Project Zero researcher Tavis Ormandy.

Earlier this month, Ormandy posted his findings on the Google Security Research page, warning that "it took about 30 seconds" for him to spot a way to launch arbitrary commands using a vulnerability in the password manager's JavaScript. A member of Trend Micro's team responded shortly afterward by thanking Ormandy for the report, adding the company was checking its software for bugs.

Ormandy's criticisms became more pointed a couple of days later, after he identified code that purported to support a secure browser by invoking a browser shell in an old version of Google Chromium. "I don't even know what to say -- how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?" he asked in an e-mail to Trend Micro on January 7.

Trend Micro noted in its response to Ormandy, "Rest assured that this will be investigated thoroughly."

Looking into 'Future Improvement'

"The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers," global threat communications manager Christopher Budd noted in a blog post published on Monday. A mandatory update went out to all customers with the software that day, he said, adding that the company was not aware of any active attacks against these vulnerabilities before they were patched.

In his last update before closing the Google Security Research thread about the vulnerability, Ormandy acknowledged the patch and...

Comments are closed.