Skip to main content

Google’s Project Zero chastised Trend Micro over security vulnerability

google said to be planning new messaging app that uses ai headquarters sign
Image used with permission by copyright holder
When you pay for security software, you probably hope it’s protecting you — not creating a massive security breach in and of itself. But if you ran Trend Micro’s password manager, enabled by default for all Trend Micro users, any site on the web could have executed any app on your computer just by including a bit of code.

A patch issued today mostly solves the problem. But as Ars Technica reports, that only happened because Google Project Zero team member Tavis Ormandy publicly berated the company.

Recommended Videos

“I don’t even know what to say — how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?” wrote Ormandy in a long email exchange the company has since made public.

Please enable Javascript to view this content

Ormandy claimed it took him “about 30 seconds” to find the vulnerability, and demonstrated it by quickly building a Web page that could remotely launch the Windows calculator if opened on a computer with the password manager installed and running — regardless if users were using it.

That’s true even if you don’t use the password manager, but it gets worse if you do: A related vulnerability made it possible to read all of a users’ saved usernames and passwords in plain text.

A recent update patches the exploit by only allowing Trend Micro sites to send such commands. If you use Trend Micro, make sure everything is up to date, or you might be extremely exposed to all sorts of problems.

But even if you do update, there still could be problems. As of today, Ormandy is saying this “is not sufficient to prevent attacks,” because something like DNS spoofing could trick your computer into thinking a command is coming from Trend Micro. Ormandy added that “a better solution would be to digital sign requests with a certificate.”

Google Project Zero is a team of security researchers inside Google that find zero-day exploits, problems that would otherwise be exploited by hackers. The team gives software companies 30 days to fix the problem, at which point they make it public. The idea is to make the Internet a safer place by getting these exploits fixed before hackers can use them, though this has prompted controversy: Some companies feel this isn’t enough time. It is more time than a hacker would grant, though.

Justin Pot
Former Digital Trends Contributor
Justin's always had a passion for trying out new software, asking questions, and explaining things – tech journalism is the…
I tried out Google’s latest AI tool that generates images in a fun, new way
Google's Whisk AI tool being used with images.

Google’s latest AI tool helps you automate image generation even further. The tool is called Whisk, and it's based on Google’s latest Imagen 3 image generation model. Rather than relying solely on text prompts, Whisk helps you create your desired images using other images as the base prompt.

Whisk is currently in an experimental phase, but once set up it's fairly easy to navigate. Google detailed in a blog post introducing Whisk that it is intended for “rapid visual exploration, not pixel-perfect edits.”

Read more
Waymo is taking its robotaxis overseas for the first time
Waymo Jaguar I-Pace

Waymo is taking its robotaxis out of the U.S. for the first time as the company begins expanding testing internationally.

A fleet of its autonomous vehicles will be heading first to the busy streets of Tokyo early next year, Waymo announced on Monday.

Read more
The most innovative tech products of 2024
The most Innovative awards graphic.

392. That's how many tech products we've reviewed this year so far, and we're bound to cross the 400 mark by the time January 2025 rolls around.

The vast majority of these tech products take a more iterative approach to their design and technology. We're all familiar with the annual drum beat of small refinement, and don't get me wrong: over time, it produces the very best tech. The kind that we all rely on every day.

Read more