Trend Micro security products were shipped with a remote debugger program that attackers could exploit to run arbitrary code, a security researcher found.
Google Project Zero team member Tavis Ormandy noted that Trend Micro Maximum Security, Premium Security and Password Manager all installed and ran a remote Node.js debugging stub automatically.
Trend Micro attributed the security issue to a third-party module.
As the third-party module could not be easily modified, Trend Micro initally wanted to push out a temporary fix and asked for more time before disclosure so the company's development team could "crack open the source code and disable the debug port", and reintegrate the utility into its products, Ormandy said.
The researcher analysed the proposed temporary patch and expressed concerns about its quality, noting he had found some edge cases where it would fail to prevent the debugger from being used to execute arbitrary code on users systems remotely.
Trend Micro acknowledged that the severity and priority of the issue was "absolutely critical" and developed a patch over the Easter holidays that is being currently rolled out, he wrote.
This could be used again to execute commands and code remotely on Windows machines, Ormandy noted.