Security Bulletin: Trend Micro's Response to Magazin für Computertechnik Article Concerning Trend Micro Password Manager

Release Date: March 15, 2018

Overview

Trend Micro is aware of an article that was recently published in a major German technical magazine regarding a potential vulnerability that may encompass several popular password managers, including Trend Micro Password Manager. The article claims that a malicious party may be able to obtain password information from a sophisticated attack on a machine.

Trend Micro was one of several vendors that were said to have been affected by this vulnerability.

Upon verification from Trend Micro’s development team, we were able to recreate the attack scenario, but do not consider it a high risk because there are a couple of conditions that must be met for it to work:

• The attacker must already have user privileges to perform the memory dump locally; or have administrator access to preconfigure the remote debugging port necessary to perform the attack remotely
• The browser session must still be open (activ)

Analysis

The main explanation for this is that Password Manager utilizes the browser’s internal garbage collection mechanism as part of the integration with the browser to function, and part of this process does appears to have a period of time where some information is left unencrypted before being deleted. In additional tests, our development team was able to retrieve the same type of login and password information on a browser without any extensions installed (e.g. Password Manager) using the same attack scenario – so this is not specifically a Password Manager issue.

Mitigation

Unfortunately, Trend Micro did not receive this reported vulnerability under the principles of responsible disclosure, so our development team had very limited time to analyze the information before publication. However, there are some mitigation strategies that users can take to defend against this type of attack:

1. Ensure that access to the machine is secured and only known, trusted users are using it – this includes both physical and remote access – Prevents memory dump.
2. Close the browser as soon as you are finished with the activity that requires the use of Password Manager. Closing the browser will effectively end the process that is required to be running and clears the memory contents required for a successful attack – Clears sensitive information from memory.
3. Perform regular system cleanup maintenance to ensure old memory dumps that are no longer needed for legitimate troubleshooting purposes are deleted – Ongoing precaution.

Long Term Strategy

From a longer term perspective, Trend Micro is looking at ways to improve browser integration of Password Manager, in addition to looking at other ways to potentially strengthen the security of existing browsers.

Trend Micro always recommends that users ensure the security of their user credentials, and try and apply the latest patches from not only Trend Micro but all critical vendors as soon as they are able to order to ensure they have the latest protection against any known vulnerabilities.