Trend Micro closed all the easy-to-exploit vulnerabilities in Password Manager.
Earlier this month, Google researcher Tavis Ormandy told Trend Micro they had a critical flaw in Password Manager, a component installed by default with Trend Micro’s Premium Security and Maximum Security home products. Trend Micro fixed one vulnerability, but other API’s appeared vulnerable.
The researcher said it only took him 30 seconds to identify an API that could end up leveraged for remote code execution (RCE). An attacker simply needed to get the victim to visit a malicious website in order to execute commands on the host with the user’s privileges.
Ormandy said it was possible to bypass Internet Explorer’s Mark of the Web (MOTW) security feature and execute commands without the victim getting any prompts.
The proof-of-concept (PoC) submitted to Trend Micro abused the openUrlInDefaultBrowser API, but Ormandy raised concerns over the fact that Password Manager exposed nearly 70 APIs to the Internet. Ormandy hasn’t checked all the APIs, but he did notice nearly a dozen that were potentially dangerous.
He also discovered one of the APIs, exportBrowserPasswords, could end up leveraged by an attacker to force users to export their browser passwords to the password manager, and a different API allowed access to passwords stored in the Trend Micro product.
Ormandy said a bad guy could steal user passwords silently and without any interaction from the victim, but Trend Micro argued it would not have been easy to decrypt the encrypted passwords.
Trend Micro pushed out a patch to address the vulnerabilities and Ormandy confirmed the fix resolves the issues. The researcher has advised the security firm to hire external security consultants to audit the password manager’s code.
Trend Micro said their product team has been reviewing the source code of the exposed APIs to ensure there is no remote action.