JVNVU#98423028
Installer of Trend Micro Security 2020 (Consumer) may insecurely load Dynamic Link Libraries
Overview
Installers of Trend Micro Security 2020 (Consumer) family may insecurely load Dynamic Link Libraries.
Products Affected
- Premium Security 2020 for Windows v16.0.1146 and earlier
- Maximum Security 2020 for Windows v16.0.1146 and earlier
- Internet Security 2020 for Windows v16.0.1146 and earlier
- Antivirus+ 2020 for Windows v16.0.1146 and earlier
Description
Multiple products provided by Trend Micro Incorporated contain the DLL search path issue, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).
Impact
Arbitrary code may be executed with the privilege of the user invoking the installer.
Solution
Use the latest installer
Use the latest installer according to the information provided by the developer.
Note that this vulnerability affects the installer only, thus users who have already installed Trend Micro Security 2020 (Consumer) do not need to re-install the software.
Vendor Status
| Vendor | Link |
| Trend Micro Incorporated | Security Bulletin: Untrusted Search Path RCE Vulnerability in Trend Micro Security 2020 (Consumer) |
References
-
Japan Vulnerability Notes JVNTA#91240916
Insecure DLL Loading and Command Execution Issues on Many Windows Application Programs
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2020-15602 |
| JVN iPedia |
|