Trend Micro AV gave any website command-line access to Windows PCs
Updated PCs running Trend Micro’s Antivirus on Windows can be hijacked, infected with malware, or wiped clean by any website, thanks to a vulnerability in the security software.
The design blunders were discovered by Google Project Zero bod Tavis Ormandy. A patch is now available to address the remote-code execution flaw, so Trend Micro users should update their software as soon as possible.
Ormandy, who has been auditing widely used security packages, analyzed a component in Trend’s AV software dubbed the Password Manager. He found that multiple HTTP RPC ports for handling API requests were accessible.
“It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(),” he wrote in a bug report to Trend.
This means that any webpage visited by a victim could run a script that uses Trend Micro’s AV to run commands directly on the machine – such as RD C:\ /S /Q to wipe the system drive, or commands to download and install malware. As another example, this code uninstalls Trend Micro’s security software on a PC without the owner’s knowledge or consent.
Then, as Ormandy looked deeper into Trend’s code, more problems were discovered.