Trend Micro – Password Manager Security Vulnerability Found

On January fifth two thousand sixteen a security vunlerability was found in Trend Micro’s password manager by Google security research. Trend Micro Incorporated admitted this security vulnerability on January eleven two thousand sixteen. When endusers install Trend Micro anti-virus software, an additional software application Password Manager is installed, enabled and automatically starts on Windows boot.

Trend Micro’s password manager is mostly written in javascript. This password software opens multiple instances of Hyper Text Transfer Protocal Remote Procedure Call ports using an Advanced Programming Interface. Google security research found a vulnerability within thirty seconds.

This allows any website to run arbitrary code using these opened Hyper Text Transfer Protocal ports. An example code looks like this:

x = new XMLHttpRequest()“GET”, “https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);
try { x.send(); } catch (e) {};

Trend Micro has now fixed this security vulnerability in their password manager application. Trend Micro released a mandatory update on January eleven two thousand sixteen fixing this security hole. Current Trend Micro customers should have received this update via ActiveUpdate.

This anti-virus software producer is not aware of any current active attacks towards this vulnerability. You can check out Trend Micro’s official blog post concerning this security flaw. Trend Micro endusers should make sure that that mandatory update released on January eleven two thousand sixteen, is installed.