Microsoft Forefront UAG vulnerabilities could allow information disclosure
Report ID: MS201204004
Date Published: 12 April 2012
Compromise Type: information-disclosure spoofing
Compromise From: remote
Microsoft Forefront Unified Access Gateway 2010 SP1
Microsoft Forefront Unified Access Gateway 2010 SP1 Update 1
Two vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG) could lead to information disclosure, possibly allowing an attacker to view secured resources.
Microsoft has released a security update to address two reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG), each of which could lead to information disclosure.
The first one, a spoofing vulnerability, could be exploited to impersonate a legitimate UAG web interface and trick users into surrendering their private data. This vulnerability was caused by failure to validate and confirm redirection to an external website.
The second vulnerability was caused by incorrect configuration of a default website on a UAG server, and an attacker could use this condition to view secured resources on the server.
Both vulnerabilities have been resolved in the latest update, which introduces modification on UAG code and UAG server's default binding settings. Users are recommended to install this latest update to protect their system from potential exploits.
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-026)