Release Date: May 16, 2016
Trend Micro Vulnerability Identifier: 2016-0116 (OSCE)
Impact Level: Low
Platform(s): Microsoft Windows
Trend Micro has released an update for OfficeScan (OSCE) 11.0 Service Pack 1 (SP1) which resolves a vulnerability in the product that when certain conditions are met could be exploited to access files and directories located outside of the core product web root folder.
|OfficeScan||11.0 SP1 (Build 4885 and below)||Windows||English|
Not Affected Version(s)
|Product||Not Affected Version||Platform||Language(s)|
|OfficeScan||10.6 (Reaching End-of-Support on June 30, 2016)||Windows||English|
Trend Micro has categorized this update with the following impact level and different options to address the issue:
|Product||Updated Version||Platform||Impact Level||Availability|
|OfficeScan||11.0 SP1 Critical Patch 6054||Windows||Low||May 30, 2016|
The critical patch mentioned above is actually a combination of the solution for this vulnerability and some updated features and functionality to help OfficeScan users protect against ransomware. It also supersedes the standalone Hot Fix Build 4889 that was previously available in this article.
This update resolves a vulnerability in Trend Micro OfficeScan 11.0 SP1 in which an attacker who has already compromised the security environment of the local OfficeScan server may be able to manipulate certain variables to obtain access to other files and directories outside of the core OfficeScan web root folder.
Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.
Please note that the OfficeScan server port needed for a specifically crafted attack required to exploit this vulnerability is not publicly broadcast and is only visible to internal user requests. Furthermore, for an attack of this nature to be attempted, the OfficeScan server’s own security agent protection would have to have been previously compromised due to the requirement of a malicious file needing to be placed on the OfficeScan server.
However, even though the exploit may require several specific conditions to be met, Trend Micro strongly encourages OfficeScan customers to update to the latest patches (as outlined above) as soon as possible.
Trend Micro would like to thank Tavis Ormandy of Google Project Zero for responsibly disclosing a similar issue on another product leading to this discovery and working with Trend Micro to help protect our customers.