SQL injection in Trend Micro's Control Manager
Of all things, Trend Micro's platform for centralised security management is vulnerable to SQL injection attacks. According to US-CERT, versions 5.5 and 6.0 of the Trend Micro Control Manager are vulnerable. The company has provided patches for both affected versions.
The vulnerability in question concerns a blind SQL injection attack which means the web frontend does not divulge any information from the database. According to a report by security consulting firm Spentera which includes a proof-of-concept, the vulnerable system can be made to leak information like password hashes by analysing the timing of SQL queries.