An update announced last week by Trend Micro for its Anti-Threat Toolkit (ATTK) addresses some additional attack methods related to a vulnerability initially patched in October 2019.
Trend Micro ATTK allows users to perform forensic scans of their system and clean rootkit, ransomware, MBR and other types of malware infections. ATTK is also used by other Trend Micro products, including WCRY Patch Tool and OfficeScan Toolbox.
Researcher John Page, aka hyp3rlinx, discovered last year that ATTK was affected by a vulnerability that could have been exploited by a remote attacker to execute arbitrary code with elevated privileges by planting malicious files named cmd.exe or Regedit.exe in the same directory as the tool. The malicious files would get executed by the application when a scan was initiated.
The vulnerability, tracked as CVE-2019-9491, was patched in mid-October with the release of version 220.127.116.113.
Researcher Stefan Kanthak has also analyzed the vulnerability and discovered that Trend Micro has failed to patch it completely. Kanthak has identified three other similar attack methods that can be launched against ATTK to execute arbitrary code by planting specially crafted files in specific locations.
He informed Trend Micro of his findings on October 23 and the cybersecurity firm last week released another update, version 18.104.22.1688, to patch the new flaws.
Trend Micro has updated its advisory for CVE-2019-20358 and assigned a second CVE identifier, CVE-2019-20358, to the related vulnerabilities discovered by Kanthak.
While exploitation of the flaws requires physical or remote access to the targeted system, Trend Micro has advised customers to install the patches as soon as possible.
Kanthak also claims to have identified some issues in how Trend Micro developed its ATTK product.
“The Trend Micro Anti-Threat Toolkit inspected in October 2019 was built from scrap: the developers used VisualStudio 2008 (end-of-life since two years), linked against an outdated and vulnerable LIBCMT, shipped an outdated and vulnerable cURL 7.48 plus an outdated and vulnerable libeay32.dll 22.214.171.124 (OpenSSL 1.0.1 is end-of-life since more than 3 years; the last version was 126.96.36.199),” he said in an advisory published on the Full Disclosure mailing list. “This POOR (really: TOTAL lack of proper) software engineering alone disqualifies this vendor and its ‘security’ products!”