Jump to content

Gaping flaw in Trend Micro Antivirus could have spilled all your passwords

sincity

By sincity
in Technology

 Share

Recommended Posts

sincity Rookie

sincity

Posted
Posted
Gaping flaw in Trend Micro Antivirus could have spilled all your passwords

A critical flaw was discovered in Trend Micro's antivirus product by a Google security researcher last week, although the company has now fixed the vulnerability.

The flaw was discovered by Tavis Ormandy, and affected Trend Micro's Password Manager, a module of the security company's antivirus product.

As PC World reports, apparently this password component is written in JavaScript which Ormandy noted "opens multiple HTTP RPC ports for handling API requests" – and it only took him 30 seconds to spot one which allowed for remote code execution.

After an initial exchange with Trend Micro staff, a temporary fix was produced a day later, which was roundly criticised by Ormandy as ineffectual. He then wrote: "You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."

Ormandy subsequently confirmed that anyone on the net could steal all of a user's passwords, as well as being able to remotely execute code, and said he was "astonished" over the whole affair.

A solution was implemented for the Password Manager product yesterday, released as a mandatory update by the company.

Trend defends

In a blog post, Trend Micro said it has "had a mature vulnerability response for a number of years and we handled these reports within that process." The security firm asserted that it had responded quickly to Ormandy's initial report, and addressed the critical issues within a week, adding: "We are not aware of any active attacks against these vulnerabilities in that time."

Last Friday, Ormandy did also advise Trend Micro to temporarily disable the Password Manager while the fix was worked on, noting that the "worst thing you can do is leave users exposed while you clean this thing up", although that advice wasn't heeded.

Ormandy has previously uncovered major vulnerabilities in security software from Sophos.




rc.img

rc.img

rc.img

a2.imga2t.imgmf.gifZ3UgrKLY6JQ
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

About Us

We are glad you decided to stop by our website and servers. At Fearless Assassins Gaming Community (=F|A=) we strive to bring you the best gaming experience possible. With helpful admins, custom maps and good server regulars your gaming experience should be grand! We love to have fun by playing online games especially W:ET, Call of Duty Series, Counter Strike: Series, Minecraft, Insurgency, DOI, Sandstorm, RUST, Team Fortress Series & Battlefield Series and if you like to do same then join us! Here, you can make worldwide friends while enjoying the game. Anyone from any race and country speaking any language can join our Discord and gaming servers. We have clan members from US, Canada, Europe, Sri Lanka, India, Japan, Australia, Brazil, UK, Austria, Poland, Finland, Turkey, Russia, Germany and many other countries. It doesn't matter how much good you are in the game or how much good English you speak. We believe in making new friends from all over the world. If you want to have fun and want to make new friends join up our gaming servers and our VoIP servers any day and at any time. At =F|A= we are all players first and then admins when someone needs our help or support on server.

Player Gaming Stats for =F|A= Servers.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept