Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

OpenSSL vulnerability CVE-2014-0160 (Heartbleed) solution for Worry-Free Business Security (WFBS) 9.0

    • Updated:
    • 13 May 2014
    • Product/Version:
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Windows 2012 Enterprise
    • Windows 8.1 32-bit
    • Windows 8.1 64-bit
Summary
The recent OpenSSL Heartbleed Vulnerability (CVE-2014-0160) has led to questions regarding which Trend Micro products may be affected. This Knowledgebase entry identifies products that may potentially be affected by this vulnerability. This article also provides the critical patch for WFBS 9.0 to protect customers from the Heartbleed vulnerability.
Details
Public
What is Heartbleed?
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. OpenSSL is an implementation of the SSL/TLS encryption protocol used to protect the privacy of Internet communications. OpenSSL is used by many web sites and other applications such as email, instant messaging and VPNs.
Heartbleed allows an attacker to read the memory of systems using certain versions of OpenSSL, potentially allowing them to access usernames, password, or even the secret security keys of the server. Obtaining these keys can allow malicious users to observe all communications on that system, allowing further exploit.
Who is impacted by Heartbleed?
Given that this vulnerability has existed for at least two years, an organization that has deployed servers running OpenSSL versions 1.0.1 through 1.0.1f in that period is likely vulnerable to the Heartbleed Bug and should take immediate steps to remediate.
While there are some initial reports of attacks based on the Heartbleed vulnerability, these are preliminary reports and it should be noted that it is very difficult to determine if this attack has occurred in the past. Accordingly, even if an organization is not currently vulnerable, it may have been in the past and it should therefore take immediate steps to remediate if they have deployed the vulnerable OpenSSL versions.
What products may be affected?
Trend Micro has identified that the SmartScan server component of WFBS 9.0 is affected by this issue (OpenSSL 1.0.1e).
WFBS versions 6.0, 7.0, and 8.0 use an earlier OpenSSL library, therefore are NOT affected by this vulnerability claim.
A complete list of affected Trend Micro products can be found here. Continue to visit this site on a regular basis since the list is continually being updated with information and solutions as they become available.
Recommended Action
The risk of exploiting this issue on WFBS 9.0 from outside a user’s environment is very low since the SmartScan server component is used for AV pattern distribution only, does not handle sensitive information and is usually only accessible on an internal customer network.
Even though the risk is considered very low, to address this vulnerability Trend Micro has released Critical Patch 1439, which is applicable to All localized languages (language independent) of WFBS 9.0 and can be downloaded from our Download Center.
Furthermore, the WFBS 9.0 installer package has been repacked to comply with Trend Micro’s solution. WFBS 9.0 Repack 2 already includes this crtical patch. Customers who already use Repack 2, do not need to apply this critical patch. But if customers do not know if they are using Repack 2, it’s ok to apply this critical patch again.
Customers who have issues obtaining the solutions or any questions/issues are advised to contact their authorized Trend Micro support representative for further assistance.
Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1103356
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.