A Google Project Zero researcher has left security vendor Trend Micro with egg on its face, after discovering its software contains multiple, serious vulnerabilities that are easy to exploit without user interaction or notification.
Tavis Ormandy of Project Zero noted that when Trend Micro antivirus is installed on Windows, the password manager component - written mostly in Javascript using the node.js framework that's included by default - allows any any website to run arbitrary code on users' machines.
The flaw in password manager allegedly took Ormandy only about 30 seconds to discover.
He said the vulnerability is trivial to exploit, and can be used to execute commands without any visible prompts or notifications to users, who would be unaware that their machines are being attacked.
Ormandy reported the issue to Trend Micro, which has developed a fix for the problem.
However, Ormandy noted that password manager exposed almost 70 application programming interfaces to anyone on the internet, with potentially "scary" consequences if they are abused by attackers.
"I [told] them [Trend Micro] I'm not going to through [the APIs], but that they need to hire a professional security consultant to audit it urgently," Ormandy wrote.
The researcher dug further into the Trend Micro product, and found that it was simple for an attacker to remotely steal all passwords stored on a computer, without users noticing anything.
"... this means, anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction.
"I really hope the gravity of this is clear to you, because I'm astonished about this," Ormandy said in emails sent to Trend Micro.
As of today, Trend Micro has provided an update that Ormandy has tested and which mitigates against what he calls the most urgent issues. Ormandy says there are still problems with the Trend Micro product, however, that should be fixed.
