A password management tool from security firm Trend Micro was found to be vulnerable to remote code execution.
A Google Project Zero security team researcher discovered bugs in the antivirus programs that can actually provide an entry way for hackers to steal all of a user’s passwords.
According to Tavis Ormandy, the researcher who exposed the vulnerabilities, even after Trend Micro issued an initial fix to the issue, the password management tool was still left exposed to roughly 70 API calls, ZDNet reported Tuesday (Jan. 12).
“I sent a mail saying, ‘That is the most ridiculous thing I’ve ever seen,'” Ormandy said in email messages he posted, documenting his exchange with Trend Micro.
“I don’t even know what to say — how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?”
In his messages to the security firm, Ormandy pointed out the severity of distributing a password management tool that exposes the sensitive data it is built to keep secure.
“Anyone on the Internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I’m astonished about this,” Ormandy said in an email message.
Trend Micro’s antivirus software comes equipped with a password manager that users can choose to export their passwords to, but the tool is written in JavaScript and has call ports that accept remote code from API requests.
“As part of our standard vulnerability response process, we worked with him to identify and address the vulnerability,” Christopher Budd, global threat communications manager at Trend Micro, wrote in an email to PCWorld. “Customers are now getting protections through automatic updates.”