When they're not working on their own projects, Google engineers often focus on highlighting potential issues with software delivered by others. We've already seen bug hunter Tavis Ormandy expose a vulnerability in AVG's Chrome security add-on, but he's now also found an exploit in another popular virus scanner: Trend Micro.
According to Ormandy's security disclosure, a weakness in Trend Micro's Password Manager, which is automatically installed alongside the main scanner on Windows machines, let attackers execute commands and launch programs on unsuspecting users' PCs. He also pointed out that all saved passwords on the machine could be read as a result.
The company is said to have used an old API that invoked an "ancient" build of Chromium (the engine that powers Google's Chrome browser). We're currently up to version 49, but the security company utilized version 41, which dates back to January 2015. Using this, the program would break out of its sandbox, an environment designed to stop attackers from being able to access areas they shouldn't, in order to offer a "secure browser" to users. In the example below, the Google engineer was able to run a local program, Windows Calculator in this case, but it could also be used to execute a remote attack.
"I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?," says Ormandy.
The disclosure also highlights a worrying trend (I know, I know): security companies that provide additional tools to protect people from malicious attacks are actually putting them more at risk. Plus, users may never know that their computer has been attacked.
Trend Micro says it moved quickly to patch the vulnerabilities and "worked with Tavis throughout the process" to resolve them. "Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week."
Just working on my Trend Micro exploit. pic.twitter.com/XQXN7hjHEt— Tavis Ormandy (@taviso) January 8, 2016