TrendMicro recently pushed out a new version of its Antivirus solution that contained a very significant security vulnerability. People install an anti-virus tool to improve the security of their system, but one of TrendMicro's latest updates to the software' password manager left the door wide open and allowed remote attackers to execute commands and steal passwords.
The security flaw was discovered by security researcher Tavis Ormandy of Google's Project Zero. After installing TrendMicro Antivirus, he noticed that the software's password management component opened up a few network ports to fire up a web server that exposes utility APIs to the Internet. It took Ormandy just 30 seconds to spot one that allowed arbitrary command execution:
The researcher provided a proof-of-concept page that would uninstall the TrendMicro software from a test system. He noted that an attacker could silently exploit the bug, as TrendMicro adds its own self-signed certificate to the system, meaning a victim wouldn't see any security alerts. Adding insult to TrendMicro's injury, he then found out that additional vulnerabilities in the way the password manager handled management commands originating from TrendMicro's servers. These vulnerabilities could let an attacker steal the user's stored passwords, even if they were encrypted.
The findings were shared with TrendMicro, which has since patched its software.