On January 5, Tavis Ormandy, a researcher from Google Project Zero, found a remote code execution (RCE) vulnerability in Trend Micro’s antivirus-bundled product called Password Manager.
According to Ormandy’s report, it only took him 30 seconds to identify an API that could be exploited for RCE. When a user accessed a malicious website run by an attacker who have knowledge of this vulnerability, he’ll be able to execute commands using the user’s privileges.
The report raised to Trend Micro shows the abused in openUrlInDefaultBrowser API but the Password Manager exposes nearly 70 APIs to the Internet.
Another API, the exportBrowserPasswords, can also be exploited to export the stored passwords. In defense, the security firm said that it wouldn’t be easy for an attacker to decrypt the encrypted passwords stored on their password tool product.
Trend Micro, similar to other recently reported security flaws such as Lenovo’s Superfish and Dell’s eDellRoot, added a self-signed https certificate to the local machine’s certificate store so users won’t be able to see any errors.
Trend Micro released a patch on Monday, January 11, to address the reported vulnerability. After testing it out, Ormandy confirmed that it indeed fixed the issue though he still recommends that the company gets an audit from a third-party security consultant to review the Password Manager’s code.