A Google security researcher has discovered a serious, easily exploitable vulnerability in a password manager installed by default with some Trend Micro antivirus products. The bug allows an attacker not only to run arbitrary commands but also to download all of the passwords stored by the manager.
The vulnerability was discovered by Tavis Ormandy, a researcher who has spent quite a lot of time in the last few months looking for bugs in antivirus and anti-malware products. Ormandy discovered the vulnerability in Trend Micro’s password manager several months ago but it was disclosed in the last couple days after Google’s 90-day grace period for vendor responses expired.
“When you install TrendMicro Antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup. This product is primarily written in JavaScript with node.js, and opens multiple HTTP RPC ports for handling API requests. It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(). This means any website can launch arbitrary commands,” Ormandy wrote in an explanation of the bug.
Stealing all the passwords from a password manager remotely doesn’t happen very often.
Ormandy went back and forth with the engineers at Trend Micro about the details of the vulnerability, finding more problems as he dug deeper. Aside from the remotely exploitable vulnerability in the password manager, Ormandy also discovered that an attacker would have the ability to download a victim’s stored passwords.
“I spent a few minutes looking into how passwords are stored if the user is using the password feature, or if they’ve exported all their browser passwords to Trend Micro (you’re prompted to do that on installation, but it’s optional and you can decline). To be clear, you can get arbitrary code execution whether they’re using it or not, but stealing all the passwords from a password manager remotely doesn’t happen very often, so I wanted to document that,” Ormandy said.
“So this means, anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I’m astonished about this.”
Trend Micro has issued a fix for the vulnerability, but other messages in the same thread as Ormandy’s disclosure said the fix may not be enough to stop all attacks on the vulnerabilities. Security experts often recommend that users employ password managers to help keep track of all their credentials and generate secure passwords. It’s a good line of defense against some specific attacks, but vulnerabilities in security products like this can be especially damaging, as those applications are trusted inherently by users.
Image from Flickr stream of Angel Arcones.