The title on HN understates the case at this point. It's not just remote code execution (more than bad enough, by itself). If you are foolish enough to trust Trend Micro, they install a password store, whence:

   Then you can use the decryptString API to decrypt all the strings, and then 
   POST them somewhere else.
    
   So this means, anyone on the internet can steal all of your passwords 
   completely silently, as well as execute arbitrary code with zero user 
   interaction. I really hope the gravity of this is clear to you, because I'm 
   astonished about this.

You can convince their shit product to POST ALL YOUR PASSWORDS to an arbitrary server.

This really is a horrific security flew. Hard to believe that software made specifically to protect users and their computers, opens up the floodgates and serves their passwords on a plate.

I wonder has much damage such a flaw has caused?

> Where did you get the idea that this software is "made specifically to protect users and their computers"?

Read the marketing copy for it.

http://www.trendmicro.com/us/home/products/software/password...

Note also

* that TM charges $15/year for any non-toy use of the software (that is, if you want to store more than four passwords)

* the language that describes the "Secure Browser" feature, which is really an ancient version of Chrome/Chromium that has sandboxing turned off.

OK ... let me spell it out for those who apparently can't figure it out by themselves:

"This is really a horrific medical safety problem. Hard to believe an oil that is made specifically to cure your ailments has non-foodsafe stuff in it!"

If the packaging of snake-oil tells you about its miraculous properties ... that is, believe it or not, not a reliable source of information.