Skip to main content
  1. Home
  2. Computing
  3. News

Google’s Project Zero chastised Trend Micro over security vulnerability

By

When you pay for security software, you probably hope it’s protecting you — not creating a massive security breach in and of itself. But if you ran Trend Micro’s password manager, enabled by default for all Trend Micro users, any site on the web could have executed any app on your computer just by including a bit of code.

A patch issued today mostly solves the problem. But as Ars Technica reports, that only happened because Google Project Zero team member Tavis Ormandy publicly berated the company.

Recommended Videos

“I don’t even know what to say — how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?” wrote Ormandy in a long email exchange the company has since made public.

Related

Ormandy claimed it took him “about 30 seconds” to find the vulnerability, and demonstrated it by quickly building a Web page that could remotely launch the Windows calculator if opened on a computer with the password manager installed and running — regardless if users were using it.

That’s true even if you don’t use the password manager, but it gets worse if you do: A related vulnerability made it possible to read all of a users’ saved usernames and passwords in plain text.

A recent update patches the exploit by only allowing Trend Micro sites to send such commands. If you use Trend Micro, make sure everything is up to date, or you might be extremely exposed to all sorts of problems.

But even if you do update, there still could be problems. As of today, Ormandy is saying this “is not sufficient to prevent attacks,” because something like DNS spoofing could trick your computer into thinking a command is coming from Trend Micro. Ormandy added that “a better solution would be to digital sign requests with a certificate.”

Google Project Zero is a team of security researchers inside Google that find zero-day exploits, problems that would otherwise be exploited by hackers. The team gives software companies 30 days to fix the problem, at which point they make it public. The idea is to make the Internet a safer place by getting these exploits fixed before hackers can use them, though this has prompted controversy: Some companies feel this isn’t enough time. It is more time than a hacker would grant, though.

Editors’ Recommendations

Please enable Javascript to view this content

Topics
Justin Pot
Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
This Lenovo ThinkPad is usually $1,739 — today it’s under $1,000
The Lenovo ThinkPad E16 Gen 2 laptop on a gray background.

If you're browsing laptop deals for a reliable device at a nice price, you can't go wrong with Lenovo's ThinkPad laptops. Here's an offer to consider: the Lenovo ThinkPad E16 Gen 2 with a 43% discount on its estimated value of $1,739, so you'll only have to pay $980. We're not sure how much time is remaining on this chance to buy this laptop for under $1,000 though, so we highly recommend hurrying with your purchase if you don't want to miss the $759 in savings.

Why you should buy the Lenovo ThinkPad E16 Gen 2 laptop

Read more
Microsoft might add a Copilot guided tour to Windows 11 to help new users
Copilot+ PC laptop.

Microsoft could be adding a guided tour to its Copilot app in Windows 11, making it easier for users to get started, according to TechRadar. The six-step guide appears at the top of the app for easy access, and it was Windows leaker @PhantomOfEarth who first spotted it. Microsoft has not officially confirmed the feature, and it is unclear which Insider build it may be tied to, if any.

If you want to try the guided tour, the prompt to start it appears above the Copilot panel. The guide, in its current form, moves at a reasonably fast pace. The first step introduces the prompt box, where users can type or speak requests. This is the main way to interact with Microsoft's AI assistant. The third step guides you through the upload button, which allows you to add documents, images, and other files for Copilot to work with. The pop-up also notes that Copilot can summarize, rewrite, or edit supported content.

Read more
The Alienware 18 Area-51 gaming laptop with RTX 5080 is $500 off today
The Alienware 18 Area-51 Gaming Laptop on a white background.

We weren't expecting the recently announced Alienware 18 Area-51 gaming laptop to appear so soon in Dell's Alienware deals, so you shouldn't miss this chance to enjoy a discount on one of the most powerful machines you can buy right now. This configuration featuring the Nvidia GeForce RTX 5080 graphics card, which originally sells for $3,800, is currently down to $3,300 for savings of $500. You have to be quick with your purchase though, as we're not sure how much longer this price will hold.

Why you should buy the Alienware 18 Area-51 gaming laptop

Read more