What?! TrendMicro ships a third party binary they have no source code for and can’t alter on their own and this is running on their security product with ring 0 privileges (hope note on the last part)?
The author of this bug has been reviewing security software, as part of their job on Google’s Project Zero. This has resulted in a number of recent bug threads about the findings. In this case, it was published now because TrendMicro reports at the bottom of the thread that they have closed the remote-code-execution vulnerability (yes, in the security program) which all their users had been exposed to.
That certainly helps the project itself, but I was more thinking about what was this bug in? I saw it was a node server that was exploitable, but I don’t really know what this was apart of.
What I understand from the bug is that the node server was running as part of those three TrendMicro projects. I’d guess that it must be a component they have in common, but I have no idea what it was used for (and if the author does, they didn’t say). Any process connecting to it would run with the permissions of the security tool. It’s binding to localhost, which protects it against connections from outside. So, part of the bug report is an explanation of how an attacker could craft a web page that, when visited, would make that connection.
What?! TrendMicro ships a third party binary they have no source code for and can’t alter on their own and this is running on their security product with ring 0 privileges (hope note on the last part)?
Any context on this?
The author of this bug has been reviewing security software, as part of their job on Google’s Project Zero. This has resulted in a number of recent bug threads about the findings. In this case, it was published now because TrendMicro reports at the bottom of the thread that they have closed the remote-code-execution vulnerability (yes, in the security program) which all their users had been exposed to.
I think that was the question?
That certainly helps the project itself, but I was more thinking about what was this bug in? I saw it was a node server that was exploitable, but I don’t really know what this was apart of.
Oh, okay.
What I understand from the bug is that the node server was running as part of those three TrendMicro projects. I’d guess that it must be a component they have in common, but I have no idea what it was used for (and if the author does, they didn’t say). Any process connecting to it would run with the permissions of the security tool. It’s binding to localhost, which protects it against connections from outside. So, part of the bug report is an explanation of how an attacker could craft a web page that, when visited, would make that connection.