HTML sanitization component vulnerability could allow escalation of privilege
Report ID: MS201210003
Date Published: 10 October 2012
Criticality: Important
Compromise Type: privilege-escalation
Compromise From: remote
Affected Product/Component:
Microsoft InfoPath 2007
Microsoft InfoPath 2010
Microsoft Communicator 2007
Microsoft Lync 2010
Microsoft Lync Attendee
Microsoft SharePoint Server 2007
Microsoft SharePoint Server 2010
Microsoft Groove Server 2010
Microsoft Windows SharePoint Services 3.0
Microsoft SharePoint Foundation 2010
Microsoft Office Web Apps 2010
Summary
A vulnerability involving HTML sanitization in selected Microsoft products could lead to an attacker gaining elevated privileges on an affected system.
Detailed Description
Microsoft has released a security update to address a vulnerability involving HTML sanitization in selected Microsoft products. The vulnerability was caused by a flaw in the way that HTML strings are sanitized. Upon successful exploitation, an attacker could be able to read protected content and take actions on behalf of the user.
The latest update release fixes this issue by making midification on the way that HTML strings are sanitized. Users are recommended to install the latest security update as a protection measure against potential exploit attemots.
CVE Reference
CVE-2012-2520
Solution
Install the latest security patch for applicable system, available for download from (http://technet.microsoft.com/en-us/security/bulletin/ms12-066)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.
