Ormandy, who has made something of a career of late discovering holes in popular security software, analyzed a component in Trend’s software dubbed Password Manager. He found that multiple HTTP RPC ports for handling API requests were accessible.
“It took about 30 seconds to spot one that permits arbitrary command execution, openUrlInDefaultBrowser, which eventually maps to ShellExecute(),” he wrote in a bug report to Trend.
This means that any webpage could run a script that uses Trend Micro’s AV to run commands on the machine – such as RD C:\ /S /Q to wipe the system drive, or commands to download and install malware. As another example, this code uninstalls Trend Micro’s security software on a PC without the owner’s knowledge or consent.
Then, as Ormandy looked deeper into Trend’s code, more problems were discovered.
Because the password manager was so badly written, Ormandy found that a malicious script could not only execute code remotely, it could also steal all passwords stored in the browser using the flaws in Trend’s software – even if they are encrypted.
Antivirus companies are doing really really well lately. Not.