Product Vulnerability Response

IMPORTANT REMINDER: ScanMail for Exchange (SMEX) version 11.0 will reach its official End-of-Support (EOS) date on July 31, 2017. Read this article for further details.

Trend Micro endeavors to develop and release products that meet the highest standards of quality and security. However, there are rare occasions where an unintended vulnerability may be discovered due to various reasons, including new types of exploits that may be developed after the release of a product.

We take and investigate every vulnerability report very seriously and we are committed to thoroughly resolving any issues in a timely manner. Trend Micro follows the guidelines of responsible disclosure to ensure its customers address potential vulnerabilities as quickly as possible to mitigate associated risks.

Vulnerability Definition

A Security Vulnerability is defined as a weakness or flaw found in a product or related service component(s) that could be exploited. It may allow an attacker to compromise the product's integrity. At the same time, it may undermine the regular behavior of the product even when properly deployed in supported configuration. This includes situations wherein the confidentiality (e.g. source code) of a product or service component(s) may be negatively affected.

Traditional product bugs and malware can both also negatively affect the operation of a product, but for the purpose of this process are not included in the definition of a security vulnerability.

Trend Micro highly recommends that security researchers contact the Trend Micro Product Vulnerability Response Team by sending an email to security@trendmicro.com. Submitters are encouraged to utilize Trend Micro’s Product Security PGP key to encrypt sensitive information sent to this address.

A Trend Micro Product Vulnerability Coordinator will acknowledge the receipt of the submission and then begin the process of collaborating with the submitter and Trend Micro product security engineers on validating, reproducing, and ultimately resolving the potential issue if it is confirmed to be a legitimate security vulnerability.

Trend Micro's goal is to resolve confirmed vulnerabilities as quickly and thoroughly as possible, then efficiently distribute the resolution to affected customers. Since each vulnerability is unique, they are addressed accordingly. Ongoing dialog is highly encouraged to best understand the vulnerability and possible risks.

Responsible security researchers understand that customer security is a priority. This means customers are given ample time to deploy the fixes before any findings are released on a public forum, blog, or social media platform.

Emails regarding product vulnerabilities should only be sent to security@trendmicro.com. Regular product support, including malware and other threat-related inquiries, should be directed to your region's authorized Trend Micro Technical Support representative.

Vulnerability Products Last Updated
Trend Micro Control Manager (TMCM) Multiple Vulnerabilities Control Manager August 8, 2016
Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) Multiple Vulnerabilities InterScan Messaging Security Virtual Appliance August 8, 2016
Trend Micro Smart Protection Server (Standalone) Multiple Vulnerabilities Smart Protection Server August 8, 2016
Trend Micro Deep Discovery Inspector (DDI) Remote Code Execution Vulnerability Deep Discovery Inspector June 7, 2016
Trend Micro InterScan Web Security Virtual Appliance (IWSVA) Multiple Remote Code Execution Vulnerabilities InterScan Web Security Virtual Appliance May 20, 2016
Trend Micro Worry-Free Business Security Multiple Vulnerabilities Worry-Free Business Security May 16, 2016
Trend Micro OfficeScan Path Traversal Vulnerability OfficeScan May 16, 2016
Multiple Vulnerabilities in Trend Micro Security Premium Security, Maximum Security,
Internet Security, Antivirus + Security
May 9, 2016
Trend Micro Email Encryption Gateway (TMEEG) SQL Injection Remote Code Execution Vulnerability Email Encryption Gateway May 3, 2016
Trend Micro products and the GNU C Library (glibc) Vulnerability – [CVE-2015-7547] Deep Security April 27, 2016
MITM SSL Certificate Vulnerability on Trend Micro Mobile Security for iOS Application Mobile Security for iOS April 22, 2016
Vulnerability fix in Deep Security 9.5 SP1 Patch 1 Deep Security August 16, 2015
Trend Micro Products and the Oracle Java Zero-day (Pawn Storm targeted attack) Deep Security July 15, 2015
Trend Micro products and the Hacking Team Flash Zero-Day - [CVE-2015-5119] Check the KB article to view all related products. August 11, 2015
Trend Micro products and the Logjam Vulnerability – [CVE-2015-4000] Deep Security November 5, 2015
Trend Micro products and the VENOM Vulnerability – [CVE-2015-3456] Check the KB article to view all related products. May 29, 2015
Critical Patch available for Anti-malware scan engine failure due to specific malware characteristics - [CVE-2015-6950] Deep Security December 17, 2015
Trend Micro products and the POODLE Vulnerability – [CVE-2014-3566] SSLv3 Design Vulnerability Check the KB article to view all related products. January 28, 2016
Trend Micro products and the Shellshock Vulnerability – [CVE-2014-6271 and CVE-2014-7169] Linux Bash Vulnerability Check the KB article to view all related products. April 21, 2016
Trend Micro products and the CCS Injection Vulnerability – [CVE-2014-0224] OpenSSL Vulnerability Check the KB article to view all related products. November 13, 2015
[CVE-2014-0160] TLS and DTLS implementations in OpenSSL 1.0.1 Vulnerability (Heartbleed Bug) Check the KB article to view all related products. April 21, 2016
Critical patch available for SQL injection attacks in Control Manager (TMCM) Control Manager October 21, 2015
VSAPI to return an error code or allow to execute arbitrary code via crafted compressed file Check the KB Article to view all related products. April 13, 2016

Trend Micro would like to thank the following security researchers and organizations for working with us to resolve one or more security vulnerabilities in Trend Micro products and services. The names of individuals or organizations listed below have disclosed one or more security vulnerabilities and have actively co-worked with Trend Micro engineers to resolve these vulnerabilities.

The names of individuals and organizations appear below with their permission.

Disclosures for 2016

  • Aniket Pawar
    bit.ly/1XJetMT
  • Armaan Pathan
    on.fb.me/204Vmgh
  • Ashutosh Barot
    www.ashutoshbarot.com
  • Center of Information Security, Kyrgyzstan
    cis.kg
  • Evan Ricafort (Invalid Web Security)
    www.evanricafort.com
  • Himanshu Mehta
    bit.ly/2bztlzH
  • Iwo Graj (CERT Orange Polska)
    schain.only.pl
  • Jerold Camacho (Invalid Web Security)
    jeroldcamacho.info
  • John Page aka hyp3rlinx
    hyp3rlinx.altervista.org/
  • Jose Carlos Exposito Bueno
    Researcher
  • Jun Kokatsu
    KDDI Singapore Dubai Branch
  • Kamran Saifullah (Ch Mansab Ali)
    www.C-AtraX.com
  • Karim Rahal
    Vulnerability Laboratory & Evolution Security GmbH
  • Kaushik Roy
    bit.ly/1pHDbCm
  • Mansoor Gilal
    fb.com/mansoor.gilal1
  • Oliveira Lima JR (@oliveiralimajr)
    rootlabs.com.br
  • SaifAllah benMassaoud
    Government Laboratory & Evolution Security GmbH
  • Shawar Khan
    on.fb.me/1R5Lv4T
  • Shehu Awwal
    www.shehuawwal.com
  • Spyridon Chatzimichail (OTE S.A.)
    bit.ly/2bgq99Q
  • Travis Emmert
    bit.ly/1T6Io2Y
  • YoKo Kho (@yokoacc)
    Mitra Integrasi Informatika, PT - Consulting & Advisory Svc. Dept.
  • Zawad Bin Hafiz
    www.sekafy.com
  • Zeeshan
    fb.com/zeex.zeeshan

Disclosures for 2015

  • AbderrazakYS
    on.fb.me/abderrazak.404
  • Ahmed Adel Abdelfattah
    fb.me/00SystemError00
  • Ahmed Jerbi
    on.fb.me/1fwQTTy
  • Ali Hassan Ghori
    @alihasanghauri
  • Ali Salem Saeed (Ali BawazeEer)
    bit.ly/1io8QF9
  • Christian Galeone
    linkd.in/1UC8gT2
  • Jayaram Yalla
    Individual
  • John Page aka hyp3rlinx
    hyp3rlinx.altervista.org/
  • k.karthickumar (Ramanathapuram)
    Individual
  • Kevin Michael Joensen
    Secu A/S
  • Khair Alhamad
    bit.ly/1Q9EC5P
  • Konduru Jashwanth
    on.fb.me/1JUg0rd
  • Lawrence Amer
    Individual
  • Mohamed A. Baset
    Seekurity Inc.
  • Mohamed Chamli
    on.fb.me/TnMcH
  • Mohamed Khaled Fathy
    fb.me/Squnity
  • Nathan Young
    E-Secure Australia
  • Nithish M. Varghese
    on.fb.me/nithish.varghese
  • Pradeep Kumar
    on.fb.me/pradeepch99
  • Praveen Ananthoji
    Individual
  • Ramin Farajpour
    @MF4rr3ll
  • Roberto Zanga
    Individual
  • Roy Jansen
    Individual
  • SaifAllah benMassaoud
    on.fb.me/1Mj7Kpq
  • Sajibe Kanti
    eesec.org
  • Salman Khan
    Individual
  • Saurabh Pundir
    on.fb.me/sauby007
  • Shivam Kumar Agarwal
    on.fb.me/shivamkumar.agarwal.9
  • Siddhartha Tripathy
    sg.linkedin.com/in/sidsg
  • Sravan Kudikyala
    Individual
  • Sumit Sahoo
    fb.me/54H00
  • Vishwaraj Bhattrai
    on.fb.me/1Q0OmwQ

We would also like to thank the security researchers and organizations who wished not to be listed.

To report a potential security issue with any of Trend Micro Products, refer to this section: Report a Vulnerability.

 Tell Us What You Think

Your feedback is really important to us! Will you take this brief survey and let us know what you think of the new eSupport site?

Yes