Serviceteam IT Security News

Anti-malware company Trend Micro has patched a flaw in its password manager that could have enabled an attacker to run their own code on a user’s computer with the highest possible access privileges.

Available for the iOS, Android, Windows and Mac platforms, Trend Micro Password Manager stores login credentials, features one-click login and form-filling capabilities and synchronizes with the cloud so that people can use it across different devices. It is available as a free service for up to five passwords. Users pay to store more credentials. They can buy the product on its own or as an optional part of Trend Micro’s Premium Security and Maximum Security solutions.

SafeBreach found an issue with pwmSvc.exe, a central control service that runs with privileged user account status. If compromised, this could enable an attacker to escalate privileges to the system level. Because this software is signed by Trend Micro, compromising it would allow an attacker to bypass its application white list. It could also be used as a persistent attack mechanism because it automatically starts when the computer boots, SafeBreach said in its analysis.

The researchers noticed that the program tried to load a missing DLL file from the default Python directory, which can be included in the PATH environment variable (PATH is a variable that tells the computer in which directories to find executable programs).

The program relied on the PATH variable when loading the DLL instead of specifying an absolute path. It also didn’t check for a digital certificate when loading DLL files.

SafeBreach researchers were able to compromise the system by adding the Python directory to the PATHvariable and then using it to store an unsigned DLL file. This enabled them to piggyback their own code on Trend Micro’s program, which would run it for them with elevated privileges.

An attacker could use this technique to compromise a system, they warned. “The service provides him with the ability to operate as NT AUTHORITYSYSTEM which is the most powerful user in Windows, so he can access almost every file and process which belongs to the user on the computer,” they wrote.

SafeBreach reported the flaw to Trend Micro on July 23, and the vendor patched it and released a new version on July 31. It also published a security bulletin of its own today addressing the issue.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!