Microsoft SQL server vulnerability could allow escalation of privilege
Report ID: MS201210007
Date Published: 10 October 2012
Criticality: Important
Compromise Type: privilege-escalation
Compromise From: remote
Affected Product/Component:
Microsoft SQL Server 2000
Microsoft SQL Server 2005
Microsoft SQL Server 2008
Microsoft SQL Server 2008 R2
Microsoft SQL Server 2012
Summary
A vulnerability reported in SQL Server Report Manager could allow an attacker to inject a script into the user's web browser, and take action on behalf of the user.
Detailed Description
Microsoft has released a security update to address a vulnerability in SQL Server Report Manager, which was caused by improper validation of a request parameter on the Report Manager SQL Server site. An attacker who successfully exploits this vulnerability could inject a client-side script into the user's instance of Internet Explorer, and use the script to spoof content, disclose information, or take action on behalf of the user.
This issue has been resolved by correcting the way that SQL Server Report Manager encodes input parameters. As a protection measure against potential exploit attempts, users are recommended to install the latest update for applicable system.
CVE Reference
CVE-2012-2552
Solution
Install the latest security patch for applicable system, available for download from (http://technet.microsoft.com/en-us/security/bulletin/ms12-070)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.
