Skip to main content
  1. Home
  2. Computing
  3. News

Google’s Project Zero chastised Trend Micro over security vulnerability

Justin Pot
By

google said to be planning new messaging app that uses ai headquarters sign
Image used with permission by copyright holder
When you pay for security software, you probably hope it’s protecting you — not creating a massive security breach in and of itself. But if you ran Trend Micro’s password manager, enabled by default for all Trend Micro users, any site on the web could have executed any app on your computer just by including a bit of code.

A patch issued today mostly solves the problem. But as Ars Technica reports, that only happened because Google Project Zero team member Tavis Ormandy publicly berated the company.

Recommended Videos

“I don’t even know what to say — how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?” wrote Ormandy in a long email exchange the company has since made public.

Related

Ormandy claimed it took him “about 30 seconds” to find the vulnerability, and demonstrated it by quickly building a Web page that could remotely launch the Windows calculator if opened on a computer with the password manager installed and running — regardless if users were using it.

That’s true even if you don’t use the password manager, but it gets worse if you do: A related vulnerability made it possible to read all of a users’ saved usernames and passwords in plain text.

A recent update patches the exploit by only allowing Trend Micro sites to send such commands. If you use Trend Micro, make sure everything is up to date, or you might be extremely exposed to all sorts of problems.

But even if you do update, there still could be problems. As of today, Ormandy is saying this “is not sufficient to prevent attacks,” because something like DNS spoofing could trick your computer into thinking a command is coming from Trend Micro. Ormandy added that “a better solution would be to digital sign requests with a certificate.”

Google Project Zero is a team of security researchers inside Google that find zero-day exploits, problems that would otherwise be exploited by hackers. The team gives software companies 30 days to fix the problem, at which point they make it public. The idea is to make the Internet a safer place by getting these exploits fixed before hackers can use them, though this has prompted controversy: Some companies feel this isn’t enough time. It is more time than a hacker would grant, though.

Editors' Recommendations

Topics
Justin Pot
Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
Alienware sale: Get up to $1,000 off gaming laptops and PCs
The Alienware x14 R2 gaming laptop on a desk.

There’s a huge sale on all things Alienware at Dell right now meaning some fantastic gaming laptop deals and gaming PC deals are yours to snap up. That includes some surprisingly affordable gaming rigs right up to some maxed out options too. If you’re looking to treat yourself to a new gaming setup, take a look at the full sale for yourself. There are over 20 different models in the sale so there are plenty of options. If you’re not sure where to begin, keep reading and we’ll guide you through our favorite picks.

What to shop for in the Dell gaming PC sale
Dell is one of the best gaming laptop brands so checking out the best gaming laptops it makes is the perfect starting point. One of the more inexpensive options is the which is down to $1,400 from $1,750. It has an AMD Ryzen 7 7745HX processor, 16GB of memory and 1TB of SSD storage. Even better, it has an Nvidia GeForce RTX 4060 graphics card teamed up with a 16-inch QHD+ screen with 2560 x 1600 resolution, 240Hz refresh rate, and 3ms response time. It’s a perfect entry point to the gaming laptop world.

Read more
Lenovo sale: Get up to 67% off ThinkPad Laptops, from $600
Lenovo ThinkPad X1 Carbon Gen 12 front angled view showing display and keyboard.

Lenovo has a huge laptop sale going on right now with select ThinkPad laptops available from just $600. If you need a new system for your small business, working on the move, or other productivity-focused plans, these are the laptop deals for you. With over a dozen laptops in the sale, it’s a good idea to take a look at the sale for yourself, but we’re also here with some insight into the best deals.

What to shop for in the Lenovo laptop sale
Lenovo is one of the best laptop brands for reliability and business purposes. One great starting point is being able to buy the for $600. According to Lenovo, it normally costs $1,839 which seems a little unrealistic but in keeping with Lenovo’s overly enthusiastic estimated value system. However, whatever the discount, this is a good laptop for the price. It has a 12th-generation Intel Core i5-1235U processor, 16GB of memory, and 256GB of SSD storage. For the display, you get a 14-inch full HD screen with 45% NTSC and 300 nits of brightness. There’s also a 1080p full HD RGB/IR Hybrid webcam with a privacy shutter and dual microphones.

Read more
Ghost of Tsushima is already shaping up to be a monster PC port
Jin wearing the Sarugami armor with Iki island in the background.

Sony detailed the features that will be available in the Ghost of Tsushima PC port on Tuesday, setting the stage for when the game launches on May 16. Despite some rocky PC ports from PlayStation Studios and porting studio Nixxes in the past, Ghost of Tsushima already looks impressive.
Ghost of Tsushima DLSS, FSR, and XeSS
It's launching with all of the modern bells and whistles a PC gamer could want. That includes support for Nvidia's DLSS 3 and AMD's FSR 3, both of which support upscaling and frame generation. There's also support for Intel XeSS, as well as native anti-aliasing modes for FSR and DLSS. This runs the game at native resolution but uses the anti-aliasing of the upscalers for improved image quality -- read our explainer on Nvidia Deep Learning Anti-Aliasing for more on that.

There's a treasure trove of features here that means virtually every PC gamer will have access to performance-boosting tech. FSR 3 support at launch is particularly noteworthy. Adoption of AMD's frame generation tech has been slow, and although we've seen it in recent games, it usually isn't available at launch.

Read more