Password-management software helps people handle lengthy lists of complex passwords, but it also presents a giant target for hackers to hit for optimal bounty. The Tokyo-based antivirus maker Trend Micro just learned this the hard way, as a troubling flaw in its password manager opened users up to remote attacks and the theft of entire password databases.
Image: Zsolt Biczo/Shutterstock
Tavis Ormandy, a researcher with Google's Project Zero vulnerability research team, discovered the flaw in Trend Micro's Windows antivirus programs and blogged about it Jan. 5 after sending notice of the flaw to the company. At first, Ormandy showed that it was possible to execute code remotely on systems that have Trend Micro installed, which was already pretty bad.
But the more he dug into Trend Micro's software, the more problems he found. Among other things, Ormandy discovered what he called "a nice clean API" inside the antivirus software that was exposed to the Internet and made it easy for anyone to "just read all of the stored passwords."
He also found that Trend Micro's "secure" browser was an old version of Chromium (which Google Chrome is based on) that had disabled its software sandbox, which might make it easier for malicious software to infect a computer.
Never one to mince words, Ormandy seems to have made no effort to hide his disgust with the flaws in emails to Trend Micro representatives that he shared in his blog posts.
"That is the most ridiculous thing I've ever seen," Ormandy wrote in regard to the secure browser. "I don't even know what to say — how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?"
"You need to come up with a plan for fixing this right now," he added. "Frankly, it also looks like you're exposing all the stored passwords to the Internet, but let's worry about that screw-up after you get the remote code execution under control."
As of late, Ormandy has been on a one-man campaign to protect users from flawed antivirus software, recently revealing a mistake in AVG software that exposed users' Web-browsing activities.
Fortunately, Trend Micro has issued updates to patch most of the vulnerabilities Ormandy found. All users of Trend Micro antivirus products on Windows should open the program immediately and download the update, as their systems are vulnerable to the remotely executed code flaw, even if they do not use the suite's password manager.
A full and unlocked version of Trend Micro's password manager is included with the Premium Security and Maximum Security edition of the company's antivirus software. The password manager can also be downloaded and installed separately, in both free and paid versions.
Users of Trend Micro's other Windows antivirus products, Internet Security and Antivirus + Security, don't have the password manager or secure browser enabled. But the products may still contain the flawed code, as some antivirus products install the most fully-featured version but keep certain features disabled until the user pays to activate them.
While we recommend all users install strong and robust antivirus solutions on their PCs, the high system privileges accorded to antivirus software mean that compromises of the software could be catastrophic. A study of antivirus-software security conducted this past fall by German testing lab AV-TEST gave scores below 90 percent to Bitdefender Internet Security (87.9 percent), Panda Security Free Antivirus (87.4 percent) and Trend Micro Internet Security (76.0 percent).
We also recommend users weigh the pros and cons of using password managers, which place all of a user's account credentials into a single program. Recent history has shown us that password managers, including KeePass and LastPass, can be hacked.