Trend Micro AV gave any website command-line access to Windows PCs
Computers could be easily hijacked or trashed via security holes
Updated PCs running Trend Micro's Windows antivirus can be hijacked, infected with malware, or wiped clean by any website, thanks to a vulnerability in the security software.
The design blunders in the consumer build of Trend's AV were discovered by Google Project Zero bod Tavis Ormandy. A patch is now available to address the remote-code execution flaw, so Trend Micro users should update their software as soon as possible.
Ormandy, who has been auditing widely used security packages, analyzed a component in Trend's AV software dubbed the Password Manager. He found that multiple HTTP RPC ports for handling API requests were accessible.
"It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute()," he wrote in a bug report to Trend.
This means that any webpage visited by a victim could run a script that uses Trend Micro's AV to run commands directly on the machine – such as RD C:\ /S /Q to wipe the system drive, or commands to download and install malware. As another example, this code uninstalls Trend Micro's security software on a PC without the owner's knowledge or consent.
Then, as Ormandy looked deeper into Trend's code, more problems were discovered.
Because the password manager was so badly written, Ormandy found that a malicious script could not only execute code remotely, it could also steal all passwords stored in the browser using the flaws in Trend's software – even if they are encrypted.
Ormandy reported the flaws to Trend Micro last week, and as per Project Zero's policy, the software maker had 90 days to fix the issues before details of the bugs would be revealed in public. A new version of the antivirus has been released to address the remote-code execution hole, so information on the flaw is now available to all.
"Trend Micro sent me a build to verify they had fixed the problem, it looks like they're no longer using ShellExecute, so it fixes the immediate problem of trivial command execution," Ormandy said.
"I'm still concerned that this component exposes nearly 70 APIs to the internet, most of which sound pretty scary. I tell them I'm not going to go through them, but that they need to hire a professional security consultant to audit it urgently." ®
Updated to add
A spokesperson for Trend Micro stressed that the vulnerabilities lie in its consumer antivirus product, adding: "Tavis brought us a report of a possible vulnerability in a Trend Micro product. As part of our standard vulnerability response process we worked with him to identify and address the vulnerability. Customers are now getting protections through automatic updates."