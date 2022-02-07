HONG KONG SAR – Media

OutReach – 7 February 2022 – Trend Micro Incorporated (TYO: 4704; TSE: 4704),

a global cybersecurity leader, today

confirmed its commitment to making the digital world safer by revealing the

instrumental role its Zero Day Initiative (ZDI)* played in finding and

reporting a critical vulnerability in the file sharing protocol Samba.

To find

out more about the Samba flaw and how to mitigate its impact, please visit our

blog here and technical support alert here.

“This latest

vulnerability disclosure comes on the heels of the recent Log4j vulnerability

and highlights the challenges many global security teams have in mitigating

risk across a multitude of applications and open source software,” said Jon

Clay, vice president of threat intelligence at Trend Micro. “The good news is

this was found during our Pwn2Own event, which means we had an opportunity to

work with the developers to responsibly patch and disclose the vulnerabilities.

So far, we have not heard of any in-the-wild attacks occurring.”

Trend Micro’s

Pwn2Own events run regularly around the world, challenging contestants to find

new vulnerabilities and exploits in widely used software and systems. They are

part of a company-wide effort to enhance cybersecurity for customers and the

entire online community through the ZDI and Trend Micro’s own global threat

intelligence team of thousands of researchers.

These efforts

are increasingly important as organizations continue to digitally transform,

expanding their attack surface and reliance on software – particularly

open source components.

The

vulnerability in question, CVE-2021-44142, was given a CVSS score of 9.9,

illustrating its potentially critical impact on affected organizations. If

exploited, the out-of-bounds heap read write bug could allow remote attackers

to execute arbitrary code as root.

While no

exploits of this vulnerability have been seen in the wild, the window in which

affected organizations must patch critical new vulnerabilities before threat

actors start exploiting them is increasingly short.

Trend Micro

therefore calls on all organizations to patch CVE-2021-44142 or update to the

latest Samba version as a matter of urgency.

* The vulnerability was originally

disclosed at Pwn2Own Austin 2021 by Nguyen Hoang Thach and Billy Jheng

Bing-Jhong of STAR Labs. Lucas Leong of Trend Micro’s ZDI discovered additional

variants which were disclosed to Samba as part of this fix. The original issue

was also independently found by Orange Tsai of DEVCORE. The ZDI is the world’s

largest vendor-agnostic bug bounty program. Since 2005, it has been making

software safer by incentivizing researchers to find and responsibly disclose

vulnerabilities to vendors.