OfficeScan (OSCE) 11.0 Service Pack 1 (SP1) Critical Patch 6392 and OSCE XG Critical Patch 1641 addresses two (2) reported vulnerabilities:
- A Remote Code Execution (RCE) vulnerability in the OfficeScan server allows attackers to execute commands on the server using a query string variable. In OSCE XG, this had been fixed via an AU update.
- The third-party AmMap application has multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web or HTML scripts.
Objectives
- These critical patches address some specific vulnerabilities outlined in the following Security Bulletin: Trend Micro OfficeScan (OSCE) Multiple Vulnerabilities.
- A minor issue with the agent issue being incorrectly reported has been corrected from the previous versions of these patches. Please see the Additional Note below for more information.
Availability
Additional Note
These patches were previously posted for a short time. However, due to some customer reports of a minor issue with the agent version, the original versions were removed and the corrected versions have been re-posted.
Customers who experienced the issue with the original build may either reapply these patches or follow the steps in the following article to resolve the issue: "Agent outdated" appears after installing OfficeScan XG Critical Patch 1641 or OfficeScan 11 Service Pack 1 Patch 1 Critical Patch 6392.
Recommendations
Trend Micro recommends that customers apply OSCE 11.0 SP1 Critical Patch 6392 or OSCE XG Critical Patch 1641.
For support assistance, please contact Trend Micro Technical Support.