ATTK of the Pwns: Trend Micro's antivirus tools 'will run malware – if its filename is cmd.exe'


Staff member
Malware Hunter
Jul 22, 2014
Try not to save files to your Windows PC called cmd.exe or regedit.exe

A flaw in the Trend Micro Anti-Threat Toolkit can be exploited by hackers to run malware on victims' Windows computers.

Bug-hunter John "hyp3rlinx" Page took credit for uncovering CVE-2019-9491, an arbitrary code execution flaw in the security tool.
In short, the Trend software can be tricked into executing any old piece of software under the sun, including malware, when it is scanned, provided the filename is cmd.exe or regedit.exe. No, really.

"Trend Micro Anti-Threat Toolkit (ATTK) will load and execute arbitrary .EXE files if a malware author happens to use the vulnerable naming convention of 'cmd.exe' or 'regedit.exe'" hyp3rlinx explained on Saturday.

"And the malware can be placed in the vicinity of the ATTK when a scan is launched by the end user."