Trend Micro has published a new patch for Trend Micro Mobile Security (Enterprise) 9.7. The product is created to give companies visibility and control over the mobile devices, applications and data used by their workers.
Researchers Steven Seeley from Offensive Security and Roberto Suggi found that Trend Micro Mobile Security for Enterprise product is affected by unrestricted file upload, authentication bypass, SQL injection and proxy command injection flaws. The security researchers have reported the vulnerabilities to Trend Micro via the security firm’s Zero Day Initiative (ZDI).
The most critical vulnerability (CVSS score of 9 or 10), is CVE-2017-14078, a SQL injection that enables remote attackers to execute arbitrary code on vulnerable installations of Trend Micro Mobile Security for Enterprise. To exploit this kind of vulnerabilities it requires that an attacker has access (physical or remote) to the targeted machine.
According to ZDI:
“The specific flaw exists within the processing of the get_moveto_group_list action. When parsing the ‘id’ field, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM.”
These flaws were reported to the vendor in the middle of May and they were patched last week. Trend Micro strongly encourages users to update to the latest builds ASAP.
