Views:

Bulletin Date: November 17, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-27695, 27696, 27697

CVSSv3 Scores: 2.7

Severity Rating: Low


Summary

Trend Micro has released a new version of the Trend Micro Security family of consumer-focused products. This update resolves some Local Privilege Escalation vulnerabilities related to the Trend Micro product installer package.

Affected versions

PRODUCT AFFECTED VERSIONS PLATFORM PLATFORM
Premium Security 2020 (v16) Windows English
Maximum Security 2020 (v16) Windows English
Internet Security 2020 (v16) Windows English
Antivirus+ 2020 (v16) Windows English

Solution

PRODUCT UPDATED BUILD(S) PLATFORM PLATFORM
All Trend Micro Security 2020 versions above 2021 (version 17) Windows English


Trend Micro has addressed these vulnerabilities in the updated installer for Trend Micro Security 2021 (version 17.x) and recommends that all customers download and upgrade to the latest version.

The latest versions of Trend Micro Security (Consumer) can be found here.

Vulnerability Details

  1. CVE-2020-27695: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a local directory which can lead to obtaining administrative privileges during the installation of the product.
  2. CVE-2020-27696: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a specific Windows system directory which can lead to obtaining administrative privileges during the installation of the product.
  3. CVE-2020-27697: Trend Micro Security 2020 (Consumer) contains a vulnerability in the installer package that could be exploited by placing a malicious DLL in a non-protected location with high privileges (symlink attack) which can lead to obtaining administrative privileges during the installation of the product.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

  • Eran Shimony of CyberArk

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.

Add a comment