Trend Micro has received reports that Deep Discovery Inspector is vulnerable to the following:
Deep Discovery Inspector is vulnerable to XSS attacks that could allow an unauthenticated user to execute malicious content.
- On some legacy browsers like IE 7 with a low Security Level, Deep Discovery Inspector is vulnerable to XSS that allows an unauthenticated user to execute malicious content through the index.php.
- The widget implementation is vulnerable to XSS that allows an unauthenticated user to execute malicious content.
Certain Deep Discovery Inspector URLs including the system log and whitelist/blacklist are accessible to a non-administrator user because the pages do not properly check for authorization. An unauthenticated user without administrator privileges may thus gain access to and modify certain system configuration settings.
To address these issues, Trend Micro has released Critical Patches for all affected versions. Please refer to the list below. All customers using Deep Discovery Inspector are recommended to apply the critical patch as soon as possible.
Deep Discovery Inspector affected versions that require updates:
|DDI Version||Required Update|
|3.8 English||Critical Patch B1263|
|3.8 Japanese||Critical Patch B2047|
|3.7 English||Critical Patch B1248|
|3.7 Japanese||Critical Patch B1228|
|3.7 Simplified Chinese||Critical Patch B1227|
|3.6 English||Critical Patch B1217|
|3.5 English||Critical Patch B1477|
|3.5 Japanese||Critical Patch B1544|
|3.5 Simplified Chinese||Critical Patch B1433|
The Deep Discovery Inspector critical patches can also be downloaded from the Trend Micro Download Center.
Trend Micro would also like to thank John Page (hyp3rlinx.altervista.org) for the responsible disclosure of the issues addressed in this advisory.