Affected Version(s)
| Product | Affected Version(s) | Platform | Language(s) |
|---|---|---|---|
| Worry-Free Business Security (Standard and Advanced) | 9.0 SP3 (Build 4047 and below) | Windows | English |
| 8.0 SP1 (Build 2084 and below) | Windows | English |
Not Affected Version(s)
| Product | Not Affected Version | Platform | Language(s) |
|---|---|---|---|
| Worry-Free Business Security Services (Cloud Hosted) | Security Patch deployed on April 23, 2016 | Windows | English |
Solution
Trend Micro has categorized this update with the following impact level and has released the following solutions to address the issue:
| Product | Updated version | Platform | Impact Level | Availability |
|---|---|---|---|---|
| Worry-Free Business Security (Standard and Advanced) | 9.0 SP3 Critical Patch (Build 4060) | Windows | Low | May 16, 2016 |
| 8.0 SP1 Critical Patch (Build 2090) | Windows | Low | May 16, 2016 |
As of May 12, 2016, the version of Worry-Free Business Security 9.0 SP3 available on Trend Micro’s Download Center has been repackaged to include the Critical Patch listed above.
Customers on either Worry-Free Business Security versions 8.0 or 9.0 who have not yet updated to 9.0 SP3 are strongly encouraged to update to this latest version since it not only includes the solution for this vulnerability, but also includes several important enhancements such as Program Inspection and Document Protection Enhancements to help customer protect against potential ransomware attacks.
Customers who had previously downloaded and installed Worry-Free Business Security 9.0 SP3 before May 12, 2016, are highly encouraged to apply the Critical Patch (Build 4060) as soon as possible.
Vulnerability Details
This update resolves two vulnerabilities in Trend Micro Worry-Free Business Security in which an attacker who has already compromised the security environment of the local Worry-Free Business Security server may be able to manipulate certain variables to obtain access to other files and directories outside of the core Worry-Free Business Security web root folder or modify HTTP header values to create additional application responses which can be used to launch other malicious attacks such as cross-site scripting (XSS) or malicious redirects.
Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.
Mitigating Factors
Please note that the Worry-Free Business Security server port needed for a specifically crafted attack required to exploit these vulnerabilities are not publicly broadcast and is only visible to internal user requests. Furthermore, for an attack of this nature to be attempted, the Worry-Free Business Security server’s own security agent protection would have to have been previously compromised due to the requirement of a malicious file needing to be placed on the server.
However, even though the exploit may require several specific conditions to be met, Trend Micro strongly encourages Worry-Free Business Security customers to update to the latest build as soon as possible.
Acknowledgment
Trend Micro would like to thank Tavis Ormandy of Google Project Zero for responsibly disclosing a similar issue on another product leading to this discovery and working with Trend Micro to help protect our customers.