Trend Micro plugged a hole in its Maximum Security 10 antivirus solution for Windows
An attacker could end up hijacking a computer and stealing all passwords the user uses in the Password Manager component that comes with the AV.
Tavis Ormandy, a member of Google’s Project Zero team, discovered the flaws.
Ormandy discovered the Password Manager component that installs and launches by default once users install the security solution opens multiple HTTP RPC ports for handling API requests.
“It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(),” he said in a blog post.
This means any website can launch arbitrary commands, just by offering a malicious link. If attackers succeed in tricking the user (with the Trend Micro solution installed) into clicking on it, specific arbitrary code automatically executes on the user’s computer, and the attackers have a way into it.
Trend Micro fixed the flaw in the latest version of the software, but the problem of the APIs the Trend Micro Password Manager exposes to the Internet still (partially) remains.
Among those APIs Ormandy found one that could end up leveraged by attackers to access passwords stored in the password manager.
“Users are prompted on installation to export their browser passwords, but that’s optional. I think an attacker can force it with exportBrowserPasswords API, so even that doesn’t help,” he said.
The company fixed the problem with this API, and it said the remote code execution and password leakage is not possible anymore. They have also been working on protecting the other exposed APIs