Now Reading
Trend Micro harshly criticized by researcher, who discovered critical security flaws in its Password Manager

Trend Micro harshly criticized by researcher, who discovered critical security flaws in its Password Manager

by AshwinJanuary 12, 2016

Trend Micro, the popular security research firm, and anti-virus maker, is the latest to have been at the receiving end of criticism from Tavis Ormandy.
Trend Micro logo

The Google Project Zero engineer, has slammed the antivirus maker, for security vulnerabilities in its products.

Ormandy has previously discovered vulnerabilities, in products from ESET, Kaspersky, and AVG, to name a few.

The issue was that the Trend Micro antivirus, installs a password manager app, which was actually the vulnerable component. The app which starts automatically upon boot, was written in node.js makes several HTTP RPC (Remote Procedure Calls), which were open to arbitrary code execution.

Immediately after finding one loophole in just 30 seconds, Ormandy notified Trend Micro and asked them to fix it. The company after exchanging several messages with the researcher was able to fix the issue, but not before he lashed out at it.

The password manager apparently stores the hashed passwords and the concerned websites, the latter being stored in plaintext, making it view-able to hackers.

Ormandy seems to have been upset by the fact, that Trend Micro did not immediately respond to his queries. And considering that the security risks involved, his urgency does seem to be fair. To make things worse, Trend Micro does seem to have not properly communicated with the security researcher, as the thread at the forums does suggest he emailed about three of them, before they fixed the issue.

Though Ormandy does a great job of finding security flaws, and reporting them to anti-virus vendors, his posts however are very strongly worded. Ars Techinca reported the news, observing that Ormandy’s posts sound more like a scathing attack, and even going as far as to advising Trend Micro to hire a proper security professional to audit its software. To be honest, it does seems to be far from a professional conversation.

It is worth noting that in another vulnerability he recently discovered, he referred to the AVG Web TuneUp extension as “trash being installed for Chrome users”, in a harshly worded email addressed to AVG. Considering these posts are available in public, it is quite a bit insulting to the companies involved.

Back to the issue at hand, Ormandy has confirmed that Trend Micro has issued an emergency patch to fix the remote attack issues. But he also noted that the Trend Micro antivirus password manager, was also found to have around 70 APIs which are vulnerable to attacks, again through remote code execution. This was again slammed by the researcher, but the antivirus maker has promised to fix the issues in a future update.

We aren’t going to quote any of the statements here, but you can read the official thread for more details.