==================================================================== CERT-Renater Note d'Information No. 2020/VULN033 _____________________________________________________________________ DATE : 22/01/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems runningTrend Micro Security 2020(Consumer), Trend Micro Security 2019 (Consumer). ===================================================================== https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124099.aspx https://esupport.trendmicro.com/en-us/home/pages/technical-support/1124090.aspx _____________________________________________________________________ SECURITY BULLETIN: Trend Micro Security (Consumer) Persistent Arbitrary Code Execution Vulnerability Solution ID:1124099 Last Updated:janv.. 15, 2020 6:13 (PST) Applies to:Antivirus+ Security - 2019, Antivirus+ Security - 2020;Internet Security - 2019, Internet Security - 2020;Maximum Security - 2020, 2019;Premium Security - 2019, Premium Security - 2020; Release Date: January 15, 2020 CVE Vulnerability Identifiers: CVE-2019-20357 Platform: WIndows CVSSv3 Scores: 6.7 Severity Ratings: Medium Summary Trend Micro has released updates for the Trend Micro Security 2019 and 2020 consumer familiy of products which resolves a Persistent Arbitrary Code Execution vulnerability. Affected versions Product Affected Versions Platform Language(s) Premium Security 2019 (v15) and 2020 (v16) Microsoft Windows English Maximum Security 2019 (v15) and 2020 (v16) Microsoft Windows English Internet Security 2019 (v15) and 2020 (v16) Microsoft Windows English Antivirus + Security 2019 (v15) and 2020 (v16) Microsoft Windows English Solution Product Updated Build Platform Language(s) All Versions Above 2020 - 16.0.0.1249 2019 - 15.0.1255 Microsoft Windows English Trend Micro has addressed these vulnerabilities via a patch that is available now through the product’s automatic ActiveUpdate (AU) feature for all products listed above. Customers who receive regular automatic updates from the Internet should have already received the update. Customers who have not yet received the update can manually click Update Now to ensure they have the latest build. Customers who are still using Trend Micro Security 2019 (v15) and below can download Trend Micro Security 2020 (v16) here. Vulnerability Details This update resolves an issue with the Trend Micro Mobile Security 2019 and 2020 consumer family of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system. Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time. Acknowledgement Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers: John Page (aka hyp3rlinx) of ApparitionSec Additional Assistance Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance. _____________________________________________________________________ SECURITY BULLETIN: Trend Micro Security 2019 (Consumer) Arbitrary Code Execution Vulnerability Solution ID:1124090 Last Updated:janv.. 14, 2020 5:25 (PST) Applies to:Antivirus+ Security - 2019;Internet Security - 2019;Maximum Security - 2019;Premium Security - 2019; Release Date: January 14, 2020 CVE Vulnerability Identifiers: CVE-2019-19697 Platform: Windows CVSS 3.0 Scores: 3.9 Severity Ratings: Low Summary Trend Micro Security 2019 (Consumer) is vulnerable to arbitrary code execution which could allow an attacker to tamper with protected services. Affected versions Product Affected Versions Platform Language(s) Premium Security 2019 (v15) Microsoft Windows English Maximum Security 2019 (v15) Microsoft Windows English Internet Security 2019 (v15) Microsoft Windows English Antivirus + Security 2019 (v15) Microsoft Windows English Solution Product Updated Build Platform Language(s) All Versions Above 2020 (v16) Microsoft Windows English Trend Micro has addressed these vulnerabilities in the latest version of the product, Trend Micro Security 2020 (v16), which can be obtained here. Vulnerability Details Trend Micro Security 2020(Consumer) resolves an arbitrary code execution vulnerability in the 2019 (v15) version of the product which could allow an attacker gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. Please note than an attacker must already have administrator privileges on the machine to exploit this vulnerability. Trend Micro has received no reports nor is aware of any actual attacks against the affected product related to this vulnerability at this time. Acknowledgement Trend Micro would like to thank the following individual for responsibly disclosing the issue and working with Trend Micro to help protect our customers: John Page (aka hyp3rlinx) of ApparitionSec Additional Assistance Customers who have questions are encouraged to contact Trend Micro Technical Support for further assistance. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================