Views:

Release Date: March 15, 2018


Overview

Trend Micro is aware of an article that was recently published in a major German technical magazine regarding a potential vulnerability that may encompass several popular password managers, including Trend Micro Password Manager. The article claims that a malicious party may be able to obtain password information from a sophisticated attack on a machine.

Trend Micro was one of several vendors that were said to have been affected by this vulnerability.

Upon verification from Trend Micro’s development team, we were able to recreate the attack scenario, but do not consider it a high risk because there are a couple of conditions that must be met for it to work:

  • The attacker must already have user privileges to perform the memory dump locally; or have administrator access to preconfigure the remote debugging port necessary to perform the attack remotely
  • The browser session must still be open (activ)

Analysis

The main explanation for this is that Password Manager utilizes the browser’s internal garbage collection mechanism as part of the integration with the browser to function, and part of this process does appears to have a period of time where some information is left unencrypted before being deleted. In additional tests, our development team was able to retrieve the same type of login and password information on a browser without any extensions installed (e.g. Password Manager) using the same attack scenario – so this is not specifically a Password Manager issue.

Mitigation

Unfortunately, Trend Micro did not receive this reported vulnerability under the principles of responsible disclosure, so our development team had very limited time to analyze the information before publication. However, there are some mitigation strategies that users can take to defend against this type of attack:

  1. Ensure that access to the machine is secured and only known, trusted users are using it – this includes both physical and remote access – Prevents memory dump.
  2. Close the browser as soon as you are finished with the activity that requires the use of Password Manager. Closing the browser will effectively end the process that is required to be running and clears the memory contents required for a successful attack – Clears sensitive information from memory.
  3. Perform regular system cleanup maintenance to ensure old memory dumps that are no longer needed for legitimate troubleshooting purposes are deleted – Ongoing precaution.

Long Term Strategy

From a longer term perspective, Trend Micro is looking at ways to improve browser integration of Password Manager, in addition to looking at other ways to potentially strengthen the security of existing browsers.

Trend Micro always recommends that users ensure the security of their user credentials, and try and apply the latest patches from not only Trend Micro but all critical vendors as soon as they are able to order to ensure they have the latest protection against any known vulnerabilities.

Add a comment
Home Support

Security Bulletin: Trend Micro's Response to Magazin für Computertechnik Article Concerning Trend Micro Password Manager

Release Date: March 15, 2018


Overview

Trend Micro is aware of an article that was recently published in a major German technical magazine regarding a potential vulnerability that may encompass several popular password managers, including Trend Micro Password Manager. The article claims that a malicious party may be able to obtain password information from a sophisticated attack on a machine.

Trend Micro was one of several vendors that were said to have been affected by this vulnerability.

Upon verification from Trend Micro’s development team, we were able to recreate the attack scenario, but do not consider it a high risk because there are a couple of conditions that must be met for it to work:

  • The attacker must already have user privileges to perform the memory dump locally; or have administrator access to preconfigure the remote debugging port necessary to perform the attack remotely
  • The browser session must still be open (activ)

Analysis

The main explanation for this is that Password Manager utilizes the browser’s internal garbage collection mechanism as part of the integration with the browser to function, and part of this process does appears to have a period of time where some information is left unencrypted before being deleted. In additional tests, our development team was able to retrieve the same type of login and password information on a browser without any extensions installed (e.g. Password Manager) using the same attack scenario – so this is not specifically a Password Manager issue.

Mitigation

Unfortunately, Trend Micro did not receive this reported vulnerability under the principles of responsible disclosure, so our development team had very limited time to analyze the information before publication. However, there are some mitigation strategies that users can take to defend against this type of attack:

  1. Ensure that access to the machine is secured and only known, trusted users are using it – this includes both physical and remote access – Prevents memory dump.
  2. Close the browser as soon as you are finished with the activity that requires the use of Password Manager. Closing the browser will effectively end the process that is required to be running and clears the memory contents required for a successful attack – Clears sensitive information from memory.
  3. Perform regular system cleanup maintenance to ensure old memory dumps that are no longer needed for legitimate troubleshooting purposes are deleted – Ongoing precaution.

Long Term Strategy

From a longer term perspective, Trend Micro is looking at ways to improve browser integration of Password Manager, in addition to looking at other ways to potentially strengthen the security of existing browsers.

Trend Micro always recommends that users ensure the security of their user credentials, and try and apply the latest patches from not only Trend Micro but all critical vendors as soon as they are able to order to ensure they have the latest protection against any known vulnerabilities.


Was this helpful?

  • It was very helpful.
  • It was helpful.
  • Just okay.
  • It was not helpful.
  • It wasn't helpful at all.
Liquid error: 's' is an unexpected token. Expecting white space. Line 12, position 96.
Related Articles
Messenger Icon
Ask Vanessa

Get in touch with our Social Media ambassador and she'll answer your question or issue.

Hi there!  👋

How can we help you today? Click the button below to start chatting with support.

Product Image
Close
Trend Micro Support

Our Support Representative will be with you shortly.

Product Image

Trend Micro Support

Usually replies in a few minutes.

Before we start, kindly fill up the details below:

Please see our privacy policy for more information on how we use your data.