Password Manager Proves Security Risk

Google has uncovered a major bug in a security software tool that could expose user passwords to hackers. Its the second time in a matter of weeks that Google’s found problems with security software.

On this occasion the problem is with the antivirus package from Trend Micro, specifically a Password Manager feature. This allows users to store passwords securely with a master security code; at the touch of a button, users can then have them the program automatically fill in passwords and logins on websites.

According to Google’s Tavis Ormandy, the feature is installed by default with Trend Micro’s antivirus software and starts automatically when Windows starts. (Source: google.com)

Tool Used Outdated Connection

Ormandy says the problem lies with the way the Password Manager interacts with the Chrome browser and its underlying system Chromium – specifically, the way that the sandbox feature works. The tool was was originally set up to work with version 41 of Chromium when that version was available last year.

The latest edition of Chromium is version 49, which now utilizes Chrome’s sandbox features much differently than in the past. In short, the old version of Trend Micro’s Password Manager does not comply with security features of the new sandbox, which means that certain programming code of the Password Manager is able to overstep parts of the system memory and is thus susceptible to exploit. (Source: engadget.com)

As a simple analogy, the vulnerability acted like a hole in a wall, which then allows hackers to remotely access the computer. Ormandy demonstrated the flaw by remotely forcing a computer to open the Windows calculator, but said it would have been just as simple to access the list of stored usernames passwords in the Password Manager itself.

Trend Micro Patch a Must Install

Trend Micro quickly acknowledged the bug and thanked Google for its vigilance. It has now issued a patch for the vulnerability, which users should install immediately. Of course, keeping security software updated is good practice and helps to ensure that the system has the latest signature database of known threats.

Two weeks ago, Ormandy uncovered a serious problem with a Chrome browser extension created by another security firm, AVG. In that case, AVG had deliberately crafted the extension to bypass Google’s own security measures. The matter is so severe that Google may blacklist AVG entirely from Chrome.

What’s Your Opinion?

Do you use Trend Micro’s password manager software? Do you worry about security on such tools? Do you think its safer to use a password manager that’s a standalone product from a dedicated company rather than an add-on tool in an antivirus package?