Skip to main content
  1. Home
  2. Computing
  3. News

Google’s Project Zero chastised Trend Micro over security vulnerability

Justin Pot
By

google said to be planning new messaging app that uses ai headquarters sign
When you pay for security software, you probably hope it’s protecting you — not creating a massive security breach in and of itself. But if you ran Trend Micro’s password manager, enabled by default for all Trend Micro users, any site on the web could have executed any app on your computer just by including a bit of code.

A patch issued today mostly solves the problem. But as Ars Technica reports, that only happened because Google Project Zero team member Tavis Ormandy publicly berated the company.

“I don’t even know what to say — how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?” wrote Ormandy in a long email exchange the company has since made public.

Ormandy claimed it took him “about 30 seconds” to find the vulnerability, and demonstrated it by quickly building a Web page that could remotely launch the Windows calculator if opened on a computer with the password manager installed and running — regardless if users were using it.

That’s true even if you don’t use the password manager, but it gets worse if you do: A related vulnerability made it possible to read all of a users’ saved usernames and passwords in plain text.

A recent update patches the exploit by only allowing Trend Micro sites to send such commands. If you use Trend Micro, make sure everything is up to date, or you might be extremely exposed to all sorts of problems.

But even if you do update, there still could be problems. As of today, Ormandy is saying this “is not sufficient to prevent attacks,” because something like DNS spoofing could trick your computer into thinking a command is coming from Trend Micro. Ormandy added that “a better solution would be to digital sign requests with a certificate.”

Google Project Zero is a team of security researchers inside Google that find zero-day exploits, problems that would otherwise be exploited by hackers. The team gives software companies 30 days to fix the problem, at which point they make it public. The idea is to make the Internet a safer place by getting these exploits fixed before hackers can use them, though this has prompted controversy: Some companies feel this isn’t enough time. It is more time than a hacker would grant, though.

Editors' Recommendations

The most common Microsoft Teams problems, and how to fix them

A close-up of someone using Microsoft Teams on a laptop for a videoconference.

Selling something online? Watch out for this clever new scam

An individual holding a phone and card.

WhatsApp adds new privacy features that everyone should start using

The WhatsApp app icon on a phone with other messaging apps.

North Korean hackers are targeting crypto workers

A hand on a laptop in a dark surrounding.

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Elon Musk talks to the press as he arrives to to have a look at the construction site of the new Tesla Gigafactory near Berlin.

Splatoon 3 will recieve at least 2 years of support, expansion teased

splatoon 3 support update crossbow

Xenoblade Chronicles 3: How to clean clothes and why you should

Reveal of a titan in Xenoblade Chronicles 3.

Samsung Galaxy Z Fold 4 vs. Galaxy Z Fold 3: Is it time for you to upgrade?

Samsung Galaxy Z Fold 4.

Sony has shipped over 117M PlayStation 4 systems, per final tally

playstation 4 final shipment numbers ps4

The best Google Chrome themes

google wants to kill urls make the internet safer chrome url

This smart desk’s built-in OLED screen looks like science fiction

The Lumina desk, with a monitor and MacBook on the table.

Marvel’s Spider-Man Remastered on PC makes me excited for Sony games again

marvels spider man pc steam deck impressions msmr hero

How to pre-order the Galaxy Z Flip 4 and Z Fold 4 right now

Samsung Galaxy Z Fold 4 and Galaxy Z Flip 4.