Skip to content

Trend Micro AV gave any website command-line access to Windows PCs


Updated PCs running Trend Micro’s Antivirus on Windows can be hijacked, infected with malware, or wiped clean by any website, thanks to a vulnerability in the security software.

The design blunders were discovered by Google Project Zero bod Tavis Ormandy. A patch is now available to address the remote-code execution flaw, so Trend Micro users should update their software as soon as possible.

Ormandy, who has been auditing widely used security packages, analyzed a component in Trend’s AV software dubbed the Password Manager. He found that multiple HTTP RPC ports for handling API requests were accessible.

“It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(),” he wrote in a bug report to Trend.

This means that any webpage visited by a victim could run a script that uses Trend Micro’s AV to run commands directly on the machine – such as RD C:\ /S /Q to wipe the system drive, or commands to download and install malware. As another example, this code uninstalls Trend Micro’s security software on a PC without the owner’s knowledge or consent.

Then, as Ormandy looked deeper into Trend’s code, more problems were discovered.

Because the password manager was so badly written, Ormandy found that a malicious script could not only execute code remotely, it could also steal all passwords stored in the browser using the flaws in Trend’s software – even if they are encrypted.

One Comment
  1. Reblogged this on TheFlippinTruth.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: