Trend Micro has recently released an update for its security suite to fix the vulnerability that allowed an attacker to execute malicious code on an affected system. This update came out almost a week after the issue had been reported to Trend Micro, by a Google Project Zero researcher. The vulnerability had affected all the users of this antivirus suite.
The issue was found in the password management tool that came with the suite and it was considered as susceptible to remote code execution attack. The discovery was made by the security researchers of the Google Project Zero. Tavis Ormandy, a researcher in Google’s Zero project, had released the details of the issue to the public. Users who never utilized this feature were also affected.
Based on JavaScript and Node.js, the password managing tool had laid open a number of ports, exposing Trend Micro antivirus users to any malicious JavaScript requests. Further issues were created due to the fact that Trend Micro had used self-signed security certificate in an attempt to offset HTTPS errors.
Ormandy wrote in his public statement, “I don’t even know what to say – how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?”
“You need to come up with a plan for fixing this right now. Frankly, it also looks like you’re exposing all the stored passwords to the internet, but let’s worry about that screw up after you get the remote code execution under control,” he added.
Ormandy further advised Trend micro to disable the feature as soon as possible and hire an external expert to do the auditing for the code.
“In my opinion, you should temporarily disable this feature for users and apologise for the temporary disruption, then hire an external consultancy to audit the code. In my experience dealing with security vendors, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem, I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course,” said Ormandy.