Trend Micro has released an emergency patch to resolve critical security vulnerabilities in a core product that could be exploited to allow hackers to view encrypted passwords and execute malicious code.
The flaws were uncovered by Google Project Zero researcher Tavis Ormandy, and are in the Trend Micro password manager component shipped alongside the firm's antivirus software.
"When you install Trend Micro antivirus on Windows, by default a component called Password Manager is also installed and automatically launched on startup," explained Ormandy on the Google Security Research page.
"This is trivially exploitable and discoverable in the default install, and obviously wormable - in my opinion, you should be paging people to get this fixed."
Ormandy, who detailed his findings alongside his correspondence with Trend Micro, publicly urged the firm to take immediate steps to fix the security hole.
"I don't even know what to say - how could you enable this thing by default on all your customer machines without getting an audit from a competent security consultant?" he told the firm.
"You need to come up with a plan for fixing this right now. Frankly, it also looks like you're exposing all the stored passwords to the internet, but let's worry about that screw up after you get the remote code execution under control."
Ormandy found he could easily use an exploit to access all passwords stored in the component, even if they were held in an encrypted format.
"You can use the decryptString API to decrypt all the strings, and then post them somewhere else," he said.
"This means anyone on the internet can steal all of your passwords completely silently, as well as execute arbitrary code with zero user interaction. I really hope the gravity of this is clear to you, because I'm astonished about this."
"Trend Micro helpfully adds a self-signed https certificate for localhost to the trust store, so you don't need to click through any security errors," said Ormandy.
Christopher Budd, global threat communications manager at Trend Micro, said in an official statement provided to V3 that the emergency patch is now available for all customers.
"We released a mandatory update through Trend Micro's ActiveUpdate technology on 11 January that fixes these problems: all customers should have that now," he said.
"It's important to note that for Trend Micro Password Manager, ActiveUpdates cannot be turned off which means that all current Trend Micro Password Manager customers get all updates provided through ActiveUpdate.
"For all intents and purposes, the reported critical vulnerabilities affect an old, no-longer available version of Trend Micro Password Manager."
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...