Views:

Bulletin Date: July 15, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-15602

CVSSv3 Scores: 7.8(High)

Summary

Trend Micro has released new builds of the Trend Micro Security 2020 consumer family of products that resolve an untrusted search patch vulnerability in the Trend Micro installer.

Affected versions

Product Affected Versions Platform Language(s)
Premium Security 2020 (v16.0.1146 and below) Windows English
Maximum Security 2020 (v16.0.1146 and below) Windows English
Internet Security 2020 (v16.0.1146 and below) Windows English
Antivirus+ 2020 (v16.0.1146 and below) Windows English

Solution

Product Updated Build Platform Language(s)
All Trend Micro Security 2020 versions above v16.0.1373 Windows English


Trend Micro has addressed these vulnerabilities by updating the installer builds on the products above and are now available for download. Exisitng installations are not affected, but customers should update their installers for new installations.

Vulnerability Details

An untrusted search path remote code execution (RCE) vulnerability in the product could allow an attacker to run arbitrary code on a vulnerable system. As the Trend Micro installer tries to load DLL files from its current directory, an arbitrary DLL could also be loaded with the same privileges as the installer if run as Administrator.

User interaction is required to exploit the vulnerbaility in that the target must open a malicious directory or device.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers:

  • Shahee Mirza (@shaheemirza) of Beetles Cyber Security

Additional Assistance

Customers who have questions are encouraged to contact Trend Micro Support for further assistance.

Related Info

Add a comment