JVN#60093979: Multiple vulnerabilities in Active Update function implemented in multiple Trend Micro products

Active Update function implemented in Premium Security 2019 for Windows (v15), Maximum Security 2019 for Windows (v15), Internet Security 2019 for Windows (v15) and Antivirus+ 2019 for Windows (v15) provided by Trend Micro Incorporated contain multiple vulnerabilities listed below.

Update files are not properly verified (CWE-494) - CVE-2020-15604

Improper server certificate verification in the communication with the update server (CWE-295) - CVE-2020-24560

Note that CVSS analysis of CVE-2020-15604 and CVE-2020-24560 assumes a man-in-the-middle attack being conducted by an attacker that places a malicious wireless LAN access point.

Impact

By downloading a specially crafted file, arbitrary code may be executed with SYSTEM privilege.

Solution

Update the software
Apply the appropriate update according to the information provided by the developer.

According to the developer, these vulnerabilities have been resolved in all Titanium Versions at or above 2020 (v16) and 2021 (v17).
Note the developer states that the users who still use the obsolete versions that are no longer supported are recommended to upgrade to the latest supported versions.

Products Affected

• Premium Security 2019 for Windows (v15) and earlier
• Maximum Security 2019 for Windows (v15) and earlier
• Internet Security 2019 for Windows (v15) and earlier
• Antivirus+ 2019 for Windows (v15) and earlier
  According to the developer, Active Update function implemented in other products are fixed and not affected by these vulnerabilities.