Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

ATTK of the Pwns: Trend Micro's antivirus tools 'will run malware – if its filename is cmd.exe'

Try not to save files to your Windows PC called cmd.exe or regedit.exe

Video A flaw in the Trend Micro Anti-Threat Toolkit can be exploited by hackers to run malware on victims' Windows computers.

Bug-hunter John "hyp3rlinx" Page took credit for uncovering CVE-2019-9491, an arbitrary code execution flaw in the security tool.

In short, the Trend software can be tricked into executing any old piece of software under the sun, including malware, when it is scanned, provided the filename is cmd.exe or regedit.exe. No, really.

"Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of 'cmd.exe' or 'regedit.exe'" hyp3rlinx explained on Saturday.

"And the malware can be placed in the vicinity of the ATTK when a scan is launched by the end user."

The Catholic Church's erosary

Deus ex hackina: It took just 10 minutes to find data-divulging demons corrupting Pope's Click to Pray eRosary app

READ MORE

In other words, your Trend antivirus software can be tricked into running a virus. That's… not good. It means if you can save a file on someone's PC as cmd.exe or regedit.exe, via a download or email or something like that, and they're running ATTK, you can now run malicious code on their machine.

"Since the ATTK is signed by verified publisher and therefore assumed trusted any MOTW security warnings are bypassed if the malware was internet downloaded, also it can become a persistence mechanism as each time the Anti-Threat Toolkit is run so can an attackers malware," the flaw-finder added.

Needless to say, remote code execution flaws are not a good thing in a security tool. The software you want to protect your machine can be tricked into executing malware. Don't believe us? Here's a proof of concept video of the attack in action:

Youtube Video

The bug is no secret, either. According to hyp3rlinx, Trend was warned of the flaw back on September 9, and confirmed the bug on the 25th of that month.

The Register asked Trend Micro for comment on the report, and to confirm a patch has been issued, but has yet to hear back at the time of publication. ®

Updated to add

Trend's software was patched on Friday. Make sure you're running version 1.62.0.1223 or higher.

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like