If you are using Trend Micro’s Maximum Security 10 solution for Windows, you might want to update it to the latest available version as soon as possible. If you don’t you’re opening yourself to the danger of getting your computer hijacked and all your passwords stolen (if you use the Password Manager component that comes with the AV).
The flaws that allow all that have been discovered by white-hat Tavis Ormandy, a member of Google’s Project Zero team, who has lately been analyzing (and pointed out that there is an active black market trade in antivirus exploits, and because of that “vendors of security products have a responsibility to uphold the highest secure development standards possible to minimise the potential for harm caused by their software.”
In this latest instance, Ormandy discovered that the Password Manager component that gets installed and launched by default once users install the security solution opens multiple HTTP RPC ports for handling API requests.
“It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(),” he noted.
This means any website can launch arbitrary commands, just by offering a malicious link. If attackers succeed in tricking the user (with the Trend Micro solution installed) into clicking on it, specific arbitrary code is automatically executed on the user’s computer, and the attackers have a way into it. Depending on how skilled they are, they could do much damage.
This particular remote code execution flaw has been fixed in the latest version of the software, but the problem of the APIs the Trend Micro Password Manager exposes to the Internet still (partially) remains.
Among those APIs Ormandy found one that could be exploited by attackers to access passwords stored in the password manager.
“Users are prompted on installation to export their browser passwords, but that’s optional. I think an attacker can force it with /exportBrowserPasswords API, so even that doesn’t help,” he noted.
“In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course,” he told Trend Micro.
The company fixed the problem with this API, so both remote code execution and password leakage is made impossible (according to them). They have also been working on protecting the other exposed APIs.