Google's Project Zero outs "ridiculous" Trend Micro flaw

Google's mysterious project zero have shown that Trend Micro accidentally left a remote debugging tool in several of its products.

The Antivirus product was shipped with remote debugger still active
The Antivirus product was shipped with remote debugger still active

Trend Micro accidentally left a remote debugging tool on in some of its products that could be exploited by hackers. The firm has since been forced to issue a patch to fix the flaw.

The vulnerability was discovered by Project Zero researcher Tavis Ormandy.

"This is ridiculous. There is a remote debugger stub listening by default on a new install of TrendMicro Antivirus," Ormandy said in the Chromium bugs blog

The bug affects Trend Micro Maximum Security, Trend Micro Premium Security, Trend Micro and Password Manager.

"To exploit [it] is really easy in JavaScript. I wrote a very quick example exploit," he said.

The notification saw Trend Micro react quickly with one of its staff reporting that the firm would “isolate the issue and is currently working on resolving it as quickly and completely as possible.”

Ormandy offered to look at the build. Trend Micro then said it expected to lease a short-term fix for customers soon.

The patch for the flaw was issued this Wednesday, a week after the vulnerability was reported. However, the patch is not complete but does cover the most critical issues raised by Ormandy.

Ormandy said the patch could, in some cases, fail to prevent the debugger from being used to execute arbitrary code on users systems remotely.

In a statement sent by Trend Micro to SCMagazineUK.com, Christopher Budd, global threat communications manager at Trend Micro, said that “Trend Micro is aware of a disclosure by Tavis Ormandy, a well-known and respected researcher with Google's Project Zero team, regarding vulnerabilities discovered in Trend Micro Password Manager, a consumer-focused product.

“This issue was found to only affect Trend Micro Password Manager, which is bundled with the Trend Micro Titanium Maximum Security consumer-focused product.  Password Manager is not included with any SMB or enterprise products,” he said.

“As part of our standard product vulnerability response process, a mandatory patch addressing the most critical issues was validated by the researcher and automatically pushed to affected Trend Micro Password Manager consumers via Trend Micro's ActiveUpdate servers.  Most, if not all, users of the product should have the update in place at this time. It is important to note that there is no evidence that the proof of concept exploits reported to us were ever used publicly.”

“Trend Micro takes all reports of vulnerabilities very seriously, and is committed to addressing any legitimate issues as quickly as possible after they are reported to us,” added Budd.

Earlier this year Ormandy discovered that the Password Manager product, which is part of Trend Micro Antivirus, shipped with a Javascript node.js web server enabled.

Nick Jones, Security Consultant at MWR InfoSecurity, told SC that “it is clear that this problem is something being seen across the industry, and it is hoped that the increased awareness of the poor development practices in use by some security software firms will result in an improvement of the current situation.”

James Maude, senior security engineer at Avecto, told SC that in the security industry companies often introduce flaws by trying to reinvent the wheel, AV vendors are known to bypass security features like Microsoft's PatchGuard in order to make their products work.

“We increasingly see virtualisation technologies and hypervisor based products that circumvent the operating system, leading to an entirely different attack surface. Vendors need to work with the platform and environment to improve security, not fight against it and risk instability and compromise,” he said.