CVE-2019-19697

Vulnerability

Trend Micro Security 2019 (v15) consumer products (Premium, Maximum, Internet Security, Antivirus+Security) contain an arbitrary code execution vulnerability. The software fails to prevent modification of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchdog.exe, allowing an attacker to set a debugger value to an arbitrary executable. This affects all versions of the 2019 (v15) product line on Microsoft Windows [1].

Exploitation

An attacker must already have administrator privileges on the target machine. The attacker creates the registry key and sets a string value named "debugger" pointing to a malicious executable. Upon restart of the system or the Trend Micro service (e.g., PtWatchdog.exe), the arbitrary executable runs with SYSTEM privileges. The attacker can then disable or prevent the startup of protected services such as coreServiceShell.exe (Asmp service) [1].

Impact

Successful exploitation grants the attacker SYSTEM-level privileges, allowing them to tamper with protected Trend Micro services. This includes disabling the security software's core components, effectively bypassing the product's self-protection mechanisms. The attacker gains full control over the affected services and can prevent them from starting [1].

Mitigation

Trend Micro released a security patch to address this vulnerability. Users should update to the latest version of Trend Micro Security 2019 (v15) via the product's update mechanism or by downloading the patch from the Trend Micro support site [1]. No workaround is available; applying the patch is the recommended mitigation.