Bulletin Date: July 15, 2020
Platform: Microsoft Windows
Assigned CVE: CVE-2020-15602
CVSSv3 Scores: 7.8 (High)
Trend Micro has released new builds of the Trend Micro Security 2020 consumer family of products that resolve an untrusted search patch vulnerability in the Trend Micro installer.
|Premium Security||2020 (v16.0.1146 and below)||Windows||English|
|Maximum Security||2020 (v16.0.1146 and below)||Windows||English|
|Internet Security||2020 (v16.0.1146 and below)||Windows||English|
|Antivirus+||2020 (v16.0.1146 and below)||Windows||English|
|All Trend Micro Security 2020 versions above||v16.0.1373||Windows||English|
Trend Micro has addressed these vulnerabilities by updating the installer builds on the products above and are now available for download. Exisitng installations are not affected, but customers should update their installers for new installations.
An untrusted search path remote code execution (RCE) vulnerability in the product could allow an attacker to run arbitrary code on a vulnerable system. As the Trend Micro installer tries to load DLL files from its current directory, an arbitrary DLL could also be loaded with the same privileges as the installer if run as Administrator.
User interaction is required to exploit the vulnerbaility in that the target must open a malicious directory or device.
Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.
Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:
- Shahee Mirza (@shaheemirza) of Beetles Cyber Security
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.