Security Bulletin: Untrusted Search Path RCE Vulnerability in Trend Micro Security 2020 (Consumer)

LAST UPDATED: JUL 15, 2020

Bulletin Date: July 15, 2020

Platform: Microsoft Windows

Assigned CVE: CVE-2020-15602

CVSSv3 Scores: 7.8(High)

Summary

Trend Micro has released new builds of the Trend Micro Security 2020 consumer family of products that resolve an untrusted search patch vulnerability in the Trend Micro installer.

Affected versions

Product	Affected Versions	Platform	Language(s)
Premium Security	2020 (v16.0.1146 and below)	Windows	English
Maximum Security	2020 (v16.0.1146 and below)	Windows	English
Internet Security	2020 (v16.0.1146 and below)	Windows	English
Antivirus+	2020 (v16.0.1146 and below)	Windows	English

Solution

Product	Updated Build	Platform	Language(s)
All Trend Micro Security 2020 versions above	v16.0.1373	Windows	English

Trend Micro has addressed these vulnerabilities by updating the installer builds on the products above and are now available for download. Exisitng installations are not affected, but customers should update their installers for new installations.

Vulnerability Details

An untrusted search path remote code execution (RCE) vulnerability in the product could allow an attacker to run arbitrary code on a vulnerable system. As the Trend Micro installer tries to load DLL files from its current directory, an arbitrary DLL could also be loaded with the same privileges as the installer if run as Administrator.

User interaction is required to exploit the vulnerbaility in that the target must open a malicious directory or device.

Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time.

Acknowledgement

Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers: