14 DAY TRIAL // Trend Micro has released new versions of its antivirus and password manager products to address a security issue discovered by Google Project Zero researcher Tavis Ormandy.
According to Mr. Ormandy, on default factory settings, Trend Micro's Maximum Security, Premium Security, and Password Manager products were opening a remote Node.js debugger stub and leaving it to listen for commands on a random localhost port.
Mr. Ormandy put together an exploit that consisted of loading thousands of images that would query the localhost server on a different port number until they would uncover the one open for that client.
He would then make calls via JavaScript to this port, executing commands on the user's machine. The exploit, which was trivial to put together, according to Mr. Ormandy, relied on attackers tricking users into accessing a malicious page, something that's not that out of the ordinary.
Trend Micro delivered a quick fix, a permanent patch is in the works
The researcher contacted Trend Micro staff, who for the past week have been working on a quick fix that would detect the vulnerable port the Node.js debugger was about to start and would initiate another service on it instead, preventing the debugger from binding to the port and shutting down.
This quick patch was released on March 30, but Trend Micro has also started working on a permanent fix. This will take some time to implement, though, as this is a complex operation.
According to Trend Micro, the vulnerability's source is in a module that loads a third-party binary. The Trend Micro team says it will have to crack open that binary, alter its source code to prevent the debugger from starting, and then reintegrate it into their apps' source code. The team estimates this will take around a month.
Back in January, Mr. Ormandy also discovered that a similar Node.js server started by Trend Micro's Password Manager was disclosing user passwords.
TrendMicro accidentally left a remote debugging server running on all customer machines ¯\_(ツ)_/¯ #oops https://t.co/bPLFOrTLBl — Tavis Ormandy (@taviso) March 30, 2016