Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SECURITY BULLETIN: Trend Micro Worry-Free Business Security Multiple Vulnerabilities

    • Updated:
    • 16 May 2016
    • Product/Version:
    • Worry-Free Business Security Services 5.7
    • Worry-Free Business Security Services 5.8
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Platform:
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 2003 Enterprise
    • Windows 2003 Server R2
    • Windows 2003 Small Business Server
    • Windows 2003 Small Business Server R2
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Essential Business Server
    • Windows 2008 Server R2
    • Windows 2008 Small Business Server
    • Windows 2008 Standard
    • Windows 2011 Small Business Server Essentials
    • Windows 2011 Small Business Server Standard
    • Windows 2012 Enterprise
    • Windows 2012 Server Essentials
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
    • Windows 7 32-bit
    • Windows 7 64-bit
    • Windows 8 32-bit
    • Windows 8 64-bit
    • Windows 8.1 32-bit
    • Windows 8.1 64-bit
    • Windows Vista 32-bit
    • Windows Vista 64-bit
    • Windows XP Home
    • Windows XP Professional
    • Windows XP Tablet PC
Summary

Release Date: May 16, 2016
Trend Micro Vulnerability Identifier: 2016-0116 (WFBS)
Impact Level: Low
Platform(s): Microsoft Windows

Trend Micro has released updates for Worry-Free Business Security which resolve some vulnerabilities in the product that when certain specific conditions are met could be exploited to access files and directories located outside of the core product web root folder or allow a malicious user to manipulate HTTP headers and create additional application responses entirely under their control.

Details
Public

Affected Version(s)

ProductAffected Version(s)PlatformLanguage(s)
Worry-Free Business Security (Standard and Advanced)9.0 SP3 (Build 4047 and below)WindowsEnglish
8.0 SP1 (Build 2084 and below)WindowsEnglish

Not Affected Version(s)

ProductNot Affected VersionPlatformLanguage(s)
Worry-Free Business Security Services
(Cloud Hosted)
Security Patch deployed on
April 23, 2016
WindowsEnglish

Solution

Trend Micro has categorized this update with the following impact level and has released the following solutions to address the issue:

ProductUpdated versionPlatformImpact LevelAvailability
Worry-Free Business Security
(Standard and Advanced)
9.0 SP3 Critical Patch
(Build 4060)
WindowsLowMay 16, 2016
8.0 SP1 Critical Patch
(Build 2090)
WindowsLowMay 16, 2016

As of May 12, 2016, the version of Worry-Free Business Security 9.0 SP3 available on Trend Micro’s Download Center has been repackaged to include the Critical Patch listed above.

Customers on either Worry-Free Business Security versions 8.0 or 9.0 who have not yet updated to 9.0 SP3 are strongly encouraged to update to this latest version since it not only includes the solution for this vulnerability, but also includes several important enhancements such as Program Inspection and Document Protection Enhancements to help customer protect against potential ransomware attacks.

Customers who had previously downloaded and installed Worry-Free Business Security 9.0 SP3 before May 12, 2016, are highly encouraged to apply the Critical Patch (Build 4060) as soon as possible.

Vulnerability Details

This update resolves two vulnerabilities in Trend Micro Worry-Free Business Security in which an attacker who has already compromised the security environment of the local Worry-Free Business Security server may be able to manipulate certain variables to obtain access to other files and directories outside of the core Worry-Free Business Security web root folder or modify HTTP header values to create additional application responses which can be used to launch other malicious attacks such as cross-site scripting (XSS) or malicious redirects.

Trend Micro has received no reports nor is aware of any actual attacks against the affected products related to this vulnerability at this time.

Mitigating Factors

Please note that the Worry-Free Business Security server port needed for a specifically crafted attack required to exploit these vulnerabilities are not publicly broadcast and is only visible to internal user requests. Furthermore, for an attack of this nature to be attempted, the Worry-Free Business Security server’s own security agent protection would have to have been previously compromised due to the requirement of a malicious file needing to be placed on the server.

However, even though the exploit may require several specific conditions to be met, Trend Micro strongly encourages Worry-Free Business Security customers to update to the latest build as soon as possible.

Acknowledgment

Trend Micro would like to thank Tavis Ormandy of Google Project Zero for responsibly disclosing a similar issue on another product leading to this discovery and working with Trend Micro to help protect our customers.

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1114098
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.