icetray - Fotolia
However, the patch comes six days after the security firm was alerted to the fact that flaws in the software could be exploited to execute malicious code and view stored passwords.
“This is trivially exploitable and discoverable in the default install, and obviously wormable – in my opinion, you should be paging people to get this fixed,” he said a day after first contacting TrendMicro.
According to Ormandy, who has exposed flaws in security software from several suppliers, the flaws could be exploited even if those running the software never used the password feature.
But those who did use the password manager component were vulnerable to hacks that allowed attackers to view hashed passwords and the plaintext internet domains they belonged to.
“TrendMicro helpfully adds a self-signed https certificate for localhost to the trust store, so you don’t need to click through any security errors,” said Ormandy.
Once he had made contact, Ormandy continually urged TrendMicro to move faster to contain the threat and advised seven times to bring in a professional security consultant to audit the code.
He also advised the security firm to disable the password manager feature temporarily. “In my experience dealing with security suppliers, users are quite forgiving of mistakes if vendors act quickly to protect them once informed of a problem. I think the worst thing you can do is leave users exposed while you clean this thing up. The choice is yours, of course,” he said.
TrendMicro eventually began working on an emergency fix, which has now been pushed to customers.
The company said in a statement that it worked with Ormandy as part of its standard vulnerability response process to identify and address the vulnerability. “Customers are now getting protections through automatic updates,” the statement said.
Ormandy said the update helps to mitigate the most urgent issues, but there are “still a lot of problems”, and called on the company to get its code audited by an outside professional.
Ormandy is a well-known bug hunter who has exposed critical vulnerabilities in a several security products from various suppliers, including Kaspersky Lab, AVG, FireEye and Sophos.
Google Project Zero was set up in 2014 with the aim of improving security by reporting zero day vulnerabilities, but software suppliers have been critical of the 90-day deadline set by the team.
Some suppliers have said that 90 days is often not long enough, but Google has defended the policy as a way of ensuring suppliers take action through responsible disclosure.
Read more about responsible disclosure
- Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
- Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
- Is 90 days enough time for software suppliers to address vulnerabilities?