Microsoft releases two 'important' patches for XSS vulnerabilities
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft released two bulletins rated as ‘important' on its Patch Tuesday for September yesterday.
As revealed by SC Magazine last week, these address two unique vulnerabilities. Microsoft said that it believed neither of the issues are being actively exploited in the wild and neither bulletin requires customers to restart their machines.
Jason Miller, manager of research and development at VMware, said that both Microsoft security bulletins apply to specific and possible rare software on administrators networks.
He said: “MS12-061 affects Visual Studio Team Foundation Server 2010 SP1 and MS12-062 affects Systems Management Server 2003/2007. Both bulletins are rated as important and fix one privately reported cross-site scripting (XSS) vulnerability that could lead to elevation of privilege.
“As for priority this month on which bulletin to apply, administrators should assess their servers and prioritise accordingly to their software setup.”
Looking at the patches, Ziv Mador, director of security research at Trustwave SpiderLabs, said that MS12-061 fixes an XSS vulnerability that could allow an attacker to inject a client-side script into a web browser that is using Team Foundation Server web access.
“Basically that would allow the bad guy increased privileges if a user clicks a specially crafted link in an email or on a website. Once the script is installed the bad guy could then spoof content, steal information or do anything that the original user could do,” he said.
Looking at MS12-062, Mador said that the XSS vulnerability can be exploited by tricking a user into visiting a specially crafted URL.
Andrew Storms, director of security operations at nCircle, said: “It's surprising there are only two bulletins in this month's patch because there's definitely a backlog of old bugs in addition to the new ones we already know about. For example, MS-CHAP was discussed at Black Hat this year.
“This does make you wonder what Microsoft has planned for the October patch. Did Microsoft choose to deliver an extremely small patch this month because they have a monster patch in final testing for next month?
This might be the first month Microsoft has delivered a set of patches that don't require a reboot. IT teams focused on uptime and availability metrics will be smiling for the rest of the month.”