Recently found Trend Micro vulnerability allows any website to execute arbitrary Windows commands

Travis Ormandy from the Google Project Zero discovered a wonderful vulnerability in Trend Micro anti-virus products for Windows. By exploiting this vulnerability any website that user is visiting can execute any command on user’s computer.


Ormandy engaged in auditing the popular anti-virus products, drew attention to one of the components of the Trend Micro AV – password manager, written in JavaScript using node.js. It turned out that it opens several HTTP RPC-ports, allowing to execute any commands! This means that any website is able to execute the script on the user’s computer that, for example, can delete all the information on the disk, install other malicious programs from the external network, or simply delete the same antivirus.

I spent about 30 seconds to realize that it allows to execute command openUrlDefaultBrowser, which ultimately triggers ShellExecute().

x = new XMLHttpRequest()“GET”, “https://localhost:49155/api/openUrlInDefaultBrowser?url=c:/windows/system32/calc.exe true);

try { x.send(); } catch (e) {};


Digging deeper, Ormandy discovered that the password manager is so bad that allows the cyber criminals to steal all of the passwords, even if they are encrypted.

I don’t even know what to say. How could you leave that thing turned on by default on all user’s computers, and why a competent expert in the field of information security have not audited? You need a plan to immediately fix this [bug]. Moreover, it seems that all the stored passwords were left without any protection and looking directly to the Internet, but let’s worry about that fail later after you correct RCE-vulnerability – Ormandy wrote in correspondence with Trend Micro.

Basically, attacker just can lure the victim to a malicious web page and run the script that will use Trend Micro antivirus software to execute commands on the remote machine. Attacker can download and install any malware on victim’s computer or just make a cruel joke, for example, clean system disk by executing command RD C:\ /S /Q.

How to protect yourself

Currently, Trend Micro said that it has corrected the vulnerability, so we recommend to all users to update your antivirus software.

Information added: 01/13/2016 05:37 AM;