Bulletin Date: September 25, 2020
Platform: Microsoft Windows
Assigned CVE: CVE-2020-25775
CVSSv3 Score: 5.3 (AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H))
Severity Rating: Medium
The Trend Micro Security 2020 consumer family of products has released an update via ActiveUpdate to address a race condition arbitrary file deletion vulnerability.
|Premium Security||2020 (v16 and below)||Windows||English|
|Maximum Security||2020 (v16 and below)||Windows||English|
|Internet Security||2020 (v16 and below)||Windows||English|
|Antivirus+||2020 (v16 and below)||Windows||English|
|All Trend Micro Security versions at or above||2020 (v16) via ActiveUpdate and 2021 (v17)||Windows||English|
Trend Micro has addressed this vulnerability via a patch that is available now through the product’s automatic Active Update feature for all versions of Trend Micro Security listed above. Customers who are up-to-date and have at least Trend Micro Security 2020 (v16) will already have the necessary patch applied. Customers who are concerned about this issue and have 2019 (v15) and below are recommended to upgrade to either 2020 (v16) or 2021 (v17).
The latest version of Trend Micro Security 2021 (v17) can be found here.
The Trend Micro Security 2020 (v16) consumer family of products is vulnerable to a security race condition arbitrary file deletion vulnerability that could allow an unprivileged user to manipulate the product’s secure erase feature to delete files with a higher set of privileges.
Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.
Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:
- Abdelhamid Naceri working with Trend Micro’s Zero Day Initiative
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.