Trend Micro Password Manager Had Remote Command Execution Holes and Dumped Data to Anyone: Project Zero

72

Google’s Project Zero discovered multiple trivial remote code execution vulnerabilities sitting within a password manager installed by Trend Micro as default alongside its AntiVirus product.

A password management tool installed by default alongside Trend Micro AntiVirus was found vulnerable to remote code execution thanks to the work of Google’s Project Zero security team. Discovered by Project Zero’s Tavis Ormandy, the password tool was built using JavaScript and node.js, and started a local web server that would listen, without using a whitelist or same origin policy, for API commands.

Read more at ZDNet News