The company is said to have used an old API that invoked an "ancient" build of Chromium (the engine that powers Google's Chrome browser). We're currently up to version 49, but the security company utilized version 41, which dates back to January 2015. Using this, the program would break out of its sandbox, an environment designed to stop attackers from being able to access areas they shouldn't, in order to offer a "secure browser" to users. In the example below, the Google engineer was able to run a local program, Windows Calculator in this case, but it could also be used to execute a remote attack.



Click to enlarge.

"I don't even know what to say - how could you enable this thing *by default* on all your customer machines without getting an audit from a competent security consultant?," says Ormandy.

The disclosure also highlights a worrying trend (I know, I know): security companies that provide additional tools to protect people from malicious attacks are actually putting them more at risk. Plus, users may never know that their computer has been attacked.

Trend Micro says it moved quickly to patch the vulnerabilities and "worked with Tavis throughout the process" to resolve them. "Thanks to his responsible work with us, we were able to address the most critical issues he brought us in less than one week."