Trend Micro Antivirus Vulnerability Left Users Open to Attack: Report

Security firm Trend Micro has released an update for its antivirus suite that among other things fixes a vulnerability that allowed an attacker to execute malicious code on an affected system. The emergency patch release comes a week after a Google Project Zero researcher called out Trend Micro, disclosing the vulnerability to public. The vulnerability affected all Trend Micro antivirus users.

A password management tool that was installed by default with Trend Micro antivirus suite was found vulnerable to remote code execution attack. The discovery was made by Google's Project Zero security researchers. Tavis Ormandy, a researcher with Project Zero, revealed the details of the vulnerability to the public last week. Users who never utilised the feature were also affected.

Built on JavaScript and Node.js, the password management tool laid open a number of ports, exposing a Trend Micro antivirus user to any malicious JavaScript request. Furthermore, Trend Micro also used a self-signed security certificate in an attempt to offset HTTPS errors.

In addition, the vulnerability also allowed an attacker to view contents of a password manager built into the malware protection program. "I don't even know what to say - how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?" Ormandy wrote.

"You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."

Ormandy had advised Trend Micro to disable the concerned feature right away and hire an external consultant to audit the code. This would have ensured that at least users were not vulnerable to the attack. Trend Micro, however, didn't disable the tool and issued an emergency fix.

"In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course," said Ormandy.