Trend Micro password manager had remote command execution holes and dumped data to anyone

A password management tool installed by default alongside Trend Micro AntiVirus was found vulnerable to remote code execution thanks to the work of Google’s Project Zero security team.

Discovered by Project Zero’s Tavis Ormandy, the password tool was built using JavaScript and node.js, and started a local web server that would listen, without using a whitelist or same origin policy, for API commands.

“It’s even possible to bypass MOTW [Mark of the Web], and spawn commands without any prompts whatsoever.”

According to the security researcher, even after Trend Micro issued an initial fix, the product still exposed nearly 70 API calls to the internet.

“I happened to notice that the /api/showSB endpoint will spawn an ancient build of Chromium (version 41) with –disable-sandbox. To add insult to injury, they append ‘(Secure Browser)’ to the UserAgent.”, Ormandy said.

Source:
http://www.zdnet.com/article/trend-micro-password-manager-had-remote-command-execution-holes-and-dumped-data-to-anyone-project/