CVE-2020-25779

Vulnerability

Trend Micro Antivirus for Mac 2020 (Consumer, version 10.x and below) fails to properly validate Internationalized Domain Names (IDNs) when processing the approved websites list. An attacker can craft a domain using Punycode homographs that visually resemble a legitimate domain, which the antivirus software then incorrectly treats as allowed, bypassing the web threat protection feature [1].

Exploitation

An attacker must first be able to convince the user to add a malicious website to the approved websites list via social engineering (e.g., phishing). The attacker then supplies a domain name containing IDN homoglyphs (Punycode) that visually mimics a trusted site. Once added to the list, the antivirus will not block connections to that domain, enabling the attack [1].

Impact

Successful exploitation allows the attacker to bypass Trend Micro's web threat protection for the disguised domain. The attacker gains a means to deliver malware or phishing content without the software's protection blocking the connection. No privilege escalation or system compromise occurs directly from this vulnerability [1].

Mitigation

Trend Micro released patches via ActiveUpdate for Antivirus for Mac 2020 (v10.5 build 1623 and v10.0 build 1803) and the new version 2021 (v11) resolves the issue. Customers on version 9.0 or below should upgrade to a supported version. Users running at least version 10.0 automatically receive the patch [1].