Android
Mac & iOS
Network Security
Data & Privacy
Anti Scam and Spam
Browser Protection
One fine body…
Release Date: March 15, 2018
Trend Micro is aware of an article that was recently published in a major German technical magazine regarding a potential vulnerability that may encompass several popular password managers, including Trend Micro Password Manager. The article claims that a malicious party may be able to obtain password information from a sophisticated attack on a machine.
Trend Micro was one of several vendors that were said to have been affected by this vulnerability.
Upon verification from Trend Micro’s development team, we were able to recreate the attack scenario, but do not consider it a high risk because there are a couple of conditions that must be met for it to work:
The main explanation for this is that Password Manager utilizes the browser’s internal garbage collection mechanism as part of the integration with the browser to function, and part of this process does appears to have a period of time where some information is left unencrypted before being deleted. In additional tests, our development team was able to retrieve the same type of login and password information on a browser without any extensions installed (e.g. Password Manager) using the same attack scenario – so this is not specifically a Password Manager issue.
Unfortunately, Trend Micro did not receive this reported vulnerability under the principles of responsible disclosure, so our development team had very limited time to analyze the information before publication. However, there are some mitigation strategies that users can take to defend against this type of attack:
From a longer term perspective, Trend Micro is looking at ways to improve browser integration of Password Manager, in addition to looking at other ways to potentially strengthen the security of existing browsers.
Trend Micro always recommends that users ensure the security of their user credentials, and try and apply the latest patches from not only Trend Micro but all critical vendors as soon as they are able to order to ensure they have the latest protection against any known vulnerabilities.