Trend Micro Patches Password Manager Flaw

Trend Micro Patches Password Manager Flaw

Anti-malware company Trend Micro has patched a flaw in its password manager that could have enabled an attacker to run their own code on a user's computer with the highest possible access privileges.

Available for the iOS, Android, Windows and Mac platforms, Trend Micro Password Manager stores login credentials, features one-click login and form-filling capabilities and synchronizes with the cloud so that people can use it across different devices. It is available as a free service for up to five passwords. Users pay to store more credentials. They can buy the product on its own or as an optional part of Trend Micro's Premium Security and Maximum Security solutions.

SafeBreach found an issue with pwmSvc.exe, a central control service that runs with privileged user account status. If compromised, this could enable an attacker to escalate privileges to the system level. Because this software is signed by Trend Micro, compromising it would allow an attacker to bypass its application white list. It could also be used as a persistent attack mechanism because it automatically starts when the computer boots, SafeBreach said in its analysis.

The researchers noticed that the program tried to load a missing DLL file from the default Python directory, which can be included in the PATH environment variable (PATH is a variable that tells the computer in which directories to find executable programs).

The program relied on the PATH variable when loading the DLL instead of specifying an absolute path. It also didn't check for a digital certificate when loading DLL files.

SafeBreach researchers were able to compr ..