Release Date: March 28, 2023
CVE Vulnerability Identifier: CVE-2023-28929
Platform(s): Microsoft Windows
CVSS: 3.1
Scores: 8.6: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Severity Rating: Medium
Summary
Trend Micro has released an update via ActiveUpdate for the Trend Micro Security for Windows family of consumer products (2021,2022, and 2023) which resolves a DLL hijacking vulnerability.
Affected version(s)
| PRODUCT | AFFECTED VERSION(S) | PLATFORM | LANGUAGE(S) |
|---|---|---|---|
| Trend Micro Security | 2022/2023 (17.7.1476 and below) | Microsoft Windows | English |
| Trend Micro Security | 2021 (17.0.1412 and below) | Microsoft Windows | English |
Solution
Trend Micro has released an update via ActiveUpdate for each version below that resolves the issue.
| PRODUCT | APPLICABLE VERSION(S) | PLATFORM | LANGUAGE(S) |
|---|---|---|---|
| Trend Micro Security | 2022/2023 (17.7.1634 and below) | Microsoft Windows | English |
| Trend Micro Security | 2021 (17.0.1426 and below) | Microsoft Windows | English |
Vulnerability Details
Trend Micro Security 2021, 2022, and 2023 (Consumer) are vulnerable to a DLL Hijacking vulnerability which could allow an attacker to use a specific executable file as an execution and/or persistence mechanism which could execute a malicious program each time the executable file is started.
Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.
Acknowledgement
Trend Micro would like to thank the following individuals for responsibly disclosing the issue and working with Trend Micro to help protect our customers:
- Nippon Telegraph and Telephone Corporation, NTT Security (Japan) KK, NTT DATA Corporation
- Rintaro Fujita
- Hiroki Hada
- Hiroki Mashiko
Additional Assistance
Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance.