Security Bulletin: Untrusted Search Path RCE Vulnerability in Trend Micro Security 2020 (Consumer)

Bulletin Date: July 15, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-15602

CVSSv3 Scores: 7.8(High)

Summary

Trend Micro has released new builds of the Trend Micro Security 2020 consumer family of products that resolve an untrusted search patch vulnerability in the Trend Micro installer.

Affected versions

Solution

Trend Micro has addressed these vulnerabilities by updating the installer builds on the products above and are now available for download. Exisitng installations are not affected, but customers should update their installers for new installations.

Vulnerability Details

An untrusted search path remote code execution (RCE) vulnerability in the product could allow an attacker to run arbitrary code on a vulnerable system. As the Trend Micro installer tries to load DLL files from its current directory, an arbitrary DLL could also be loaded with the same privileges as the installer if run as Administrator.

User interaction is required to exploit the vulnerbaility in that the target must open a malicious directory or device.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

• Shahee Mirza (@shaheemirza) of Beetles Cyber Security

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

Related Info

• Trend Micro News and Advisories