We’ve received some questions about recent public reports of vulnerabilities affecting Trend Micro Password Manager:
The most important thing to know is that the critical vulnerabilities in the public report have been fixed for all Trend Micro Password Manager customers. As part of our standard investigation we checked and verified that the only product affected by these issues is our consumer Trend Micro Password Manager and no commercial or enterprise products are affected. We released a mandatory update through Trend Micro’s ActiveUpdate technology on January 11, 2016 that fixes these problems: all customers should have that now. It’s important to note that for Trend Micro Password Manager, ActiveUpdates cannot be turned off which means that all current Trend Micro Password Manager customers get all updates provided through ActiveUpdate. For all intents and purposes, the reported critical vulnerabilities affect an old, no-longer available version of Trend Micro Password Manager.
The details of the situation are that Tavis Ormandy, a well-known and well-respected security researcher, contacted us to report these issues to our Trend Micro Product Vulnerability Response process. Trend Micro has had a mature vulnerability response for a number of years and we handled these reports within that process.
We responded quickly to the initial report and worked with Tavis throughout the process to understand the issue and address them. Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week. We are not aware of any active attacks against these vulnerabilities in that time.
Trend Micro’s Product Vulnerability Response process regularly works closely with security researchers around the world who believe they may have found a security vulnerability affecting Trend Micro products. If you think you may have found a vulnerability affecting Trend Micro products, please contact us so we can work with you to better protect our customers.
There’s more information on Trend Micro’s Product Vulnerability Response here: https://esupport.trendmicro.com/en-us/business/pages/vulnerability-response.aspx