[Japanese]

JVNDB-2020-007305

Installer of Trend Micro Security 2020 (Consumer) may insecurely load Dynamic Link Libraries

Overview

Installers of Trend Micro Security 2020 (Consumer) family may insecurely load Dynamic Link Libraries.

Multiple products provided by Trend Micro Incorporated contain the DLL search path issue, which may lead to insecurely loading Dynamic Link Libraries (CWE-427).

Trend Micro Incorporated reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [NVD Score]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Trend Micro, Inc.
  • Antivirus+ 2020 for Windows v16.0.1146 and earlier
  • Internet Security 2020 for Windows v16.0.1146 and earlier
  • Trend Micro Maximum Security 2020 for Windows v16.0.1146 and earlier
  • Trend Micro Premium Security 2020 for Windows v16.0.1146 and earlie

Impact

Arbitrary code may be executed with the privilege of the user invoking the installer.
Solution

[Use the latest installer]
Use the latest installer according to the information provided by the developer.

Note that this vulnerability affects the installer only, thus users who have already installed Trend Micro Security 2020 (Consumer) do not need to re-install the software.
Vendor Information

Trend Micro, Inc.
CWE (What is CWE?)

  1. Untrusted Search Path(CWE-426) [NVD Evaluation]
  2. Uncontrolled Search Path Element(CWE-427) [Other]
CVE (What is CVE?)

  1. CVE-2020-15602
References

  1. JVN : JVNVU#98423028
  2. JVN : JVNTA#91240916
  3. National Vulnerability Database (NVD) : CVE-2020-15602
Revision History

  • [2024/08/22]
      Web page was published