Researcher finds serious vulnerability in Trend Micro antivirus, now fixed

Shawn Knight

Posts: 15,253   +192
Staff member

A few weeks ago, Google staffer and security researcher Tavis Ormandy disclosed a vulnerability in a Chrome extension from AVG that put users' PCs at risk. Ormandy has since discovered a flaw in another security-minded application, this time from Trend Micro.

When users install Trend Micro's antivirus software, another program called Password Manager is also automatically installed and set to launch at startup. Ormandy found that the app is primarily written in JavaScript with node.js.

Long story short, he determined that the app used an "ancient" build of Chromium that left users open to attack and also exposed stored passwords to the Internet. Fortunately, Ormandy reached out to Trend Micro to inform the company of the flaw and help to get a fix issued. In total, the process from start to finish took about a week.

The security researcher also recommended Trend Micro to hire a professional security consultant to handle audit work. Trend Micro issued a statement earlier this week saying it responded quickly to the initial report and worked with Ormandy to understand the issue and address it.

The company released a mandatory update through its ActiveUpdate system on January 11 that fixes the issue and thanked the security researcher for his help.

Image courtesy ExtremeTech

Permalink to story.

 
I just hope they "fix" that practice of selling you "protection for 5 devices", only to tell you later it's only for one PC, a phone, a tablet, etc, etc. AND when you call them on it they do absolutely nothing but put and leave you on hold. Talk about misleading advertising. It's the one and only reason I dropped them. I simply won't do business with liars that that is exactly what I found. Sad part ... they used to be #1 .... what a waste!
 
Back