A bug in its software meant that Trend Micro accidentally left a remote debugging server running on customer machines.
The flaw, discovered by Google’s Project Zero researcher Tavis Ormandy, opened the door to command execution of vulnerable systems (running either Trend Micro Maximum Security, Trend Micro Premium Security or Trend Micro Password Manager).
Ormandy – who previously discovered a somewhat similar flaw in Trend Micro’s technology – described the latest flaw as “ridiculous”.
Trend Micro issued a patch for the flaw on Wednesday, a little over a week after Ormandy reported the bug to it on 22 March. The patch is not complete but does address the most critical issues at hand, according to Trend.
In a statement, Trend Micro explained its handling of the bug, which it points out affects only its consumer security software and not its enterprise technology.
Trend Micro is aware of a disclosure by Tavis Ormandy, a well-known and respected researcher with Google’s Project Zero team, regarding vulnerabilities discovered in Trend Micro Password Manager, a consumer-focused product. This issue was found to only affect Trend Micro Password Manager, which is bundled with the Trend Micro Titanium Maximum Security consumer-focused product. Password Manager is not included with any SMB or enterprise products.
As part of our standard product vulnerability response process, a mandatory patch addressing the most critical issues was validated by the researcher and automatically pushed to affected Trend Micro Password Manager consumers via Trend Micro’s ActiveUpdate servers. Most, if not all, users of the product should have the update in place at this time. It is important to note that there is no evidence that the proof of concept exploits reported to us were ever used publicly.
Ormandy, a top bug hunter on the Google Project Zero team, has carved out a particular speciality in rooting out security flaws of anti-virus products, uncovering bugs in technology from ESET, FireEye, Kaspersky and Avast. He’s less than impressed with the quality of Trend’s fix, as his publication of his email exchanges with the security firm reveal.
“I looked at the patch using BinDiff and had some concerns about the quality of the fix, and identified some edge-cases where it would fail,” Ormandy writes. ®