Trend Micro security products were shipped with a remote debugger program that attackers could exploit to run arbitrary code, a security researcher found.
Google Project Zero team member Tavis Ormandy noted that Trend Micro Maximum Security, Premium Security and Password Manager all installed and ran a remote Node.js debugging stub automatically.
Ormandy said it was "really easy" to exploit the remote debugger with a few lines of Javascript code. He provided proof of concept code that launched calc.exe through Javascript as a subprocess of the Trend Micro Password Manager.
Trend Micro attributed the security issue to a third-party module.
As the third-party module could not be easily modified, Trend Micro initally wanted to push out a temporary fix and asked for more time before disclosure so the company's development team could "crack open the source code and disable the debug port", and reintegrate the utility into its products, Ormandy said.
The researcher analysed the proposed temporary patch and expressed concerns about its quality, noting he had found some edge cases where it would fail to prevent the debugger from being used to execute arbitrary code on users systems remotely.
Trend Micro acknowledged that the severity and priority of the issue was "absolutely critical" and developed a patch over the Easter holidays that is being currently rolled out, he wrote.
In January this year, the Google security researcher discovered that the Password Manager product, which is part of Trend Micro Antivirus, shipped with a Javascript node.js web server enabled.
This could be used again to execute commands and code remotely on Windows machines, Ormandy noted.
.png&h=140&w=231&c=1&s=0)
_page-0001_(1).jpg&w=100&c=1&s=0)
Integrate
