Security News > 2020 > February > Trend Micro Patches More Vulnerabilities in Anti-Threat Toolkit
An update announced last week by Trend Micro for its Anti-Threat Toolkit addresses some additional attack methods related to a vulnerability initially patched in October 2019.
Researcher Stefan Kanthak has also analyzed the vulnerability and discovered that Trend Micro has failed to patch it completely.
Trend Micro has updated its advisory for CVE-2019-20358 and assigned a second CVE identifier, CVE-2019-20358, to the related vulnerabilities discovered by Kanthak.
While exploitation of the flaws requires physical or remote access to the targeted system, Trend Micro has advised customers to install the patches as soon as possible.
"The Trend Micro Anti-Threat Toolkit inspected in October 2019 was built from scrap: the developers used VisualStudio 2008, linked against an outdated and vulnerable LIBCMT, shipped an outdated and vulnerable cURL 7.48 plus an outdated and vulnerable libeay32.dll 1.0.1.17," he said in an advisory published on the Full Disclosure mailing list.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-01-30 | CVE-2019-20358 | Incorrect Permission Assignment for Critical Resource vulnerability in Trendmicro Anti-Threat Toolkit 1.62.0.1218 Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed. | 7.8 |