Critical Patch 1755 resolves several vulnerabilities in SMEX 12.0 Patch 1 for SP1.
Resolved Issues
- Issue: SMEX 12.0 Patch 1 for SP1 communicates with the Active Update (AU) server by HTTP which is unencrypted.
Solution: This critical patch enables SMEX to communicate with the AU server by HTTPS by default.
To configure this feature:- Install the critical patch.
- Open the Registry Editor.
- Locate the following key and set the appropriate values:
Path: HKLM\SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion
Key: AUFromHTTPSServer
Type: REG_DWORD
Data value:
"1" = (default) enables the solution
"0" = disables the solution - Restart SMEX.
- Issue: A Cross-Site Request Forgery (CSRF) vulnerability in SMEX 12.0 Patch 1 for SP1 may allow remote attackers to submit a malicious request to the ScanMail server.
Solution: This critical patch resolves the CSRF vulnerability. - Issue: A cross-site scripting (XSS) vulnerability in SMEX 12.0 Patch 1 for SP1 may enable attackers to inject client-side scripts into web pages viewed by other users.
Solution: This critical patch resolves the XSS vulnerability.
System Requirements:
Install this critical patch only on computers protected by the latest SMEX 12.0 Patch 1 for SP1. Download the latest Service Pack and patch from Trend Micro Download Center.
Recommended Action:
Trend Micro recommends that you apply Critical Patch 1755 on SMEX 12.0 Patch 1 for SP1.
Download SMEX 12.0 Critical Patch 1755 for SP1 Patch 1.
Download the corresponding Readme file for more information.
Reference:
SECURITY BULLETIN: Trend Micro ScanMail for Exchange 12.0 Multiple Vulnerabilities