The Anti-Threat Toolkit (ATTK) by Trend Micro is a dedicated tool for fending off malware infections. However, like any other antimalware, this tool is also prone to security flaws. Recently, a researcher has found a vulnerability in Trend Micro ATTK that allows remote code execution.
About Trend Micro Anti-Threat Toolkit (ATTK) Vulnerability
Researcher John Page, who goes by the alias hyp3rlinx, has reportedly found a security vulnerability in Trend Micro ATTK.
Explaining about the flaw in his advisory, he stated that the flaw enabled a potential attacker to execute code. Ironically, exploiting this vulnerability could, therefore, permit running malware.
Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of “cmd.exe” or “regedit.exe” and the malware can be placed in the vicinity of the ATTK when a scan is launched by the end-user.
Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded
The vulnerability could serve as a persistent vector for running the malware and could execute the code each time ATTK would run.
In addition to the advisory, the researcher has also shared a PoC video for the exploit.
Trend Micro Released The Fix
Upon discovering the flaw CVE-2019-9491, the researcher reported the matter to Trend Micro in September. The vendors confirmed the vulnerability after a few days passed.
The flaw affected ATTK versions 22.214.171.1248 and below for Windows. Following his report, Trend Micro has recently released an updated version of the ATTK that patches the bug. Users should ensure updating their systems to ATTK version 126.96.36.1993 to prevent potential exploit.
In other news, Avast has recently suffered a security breach. They endured an attack on their systems that aimed at infecting their CCleaner app.
Let us know your thoughts in the comments.