====================================================================

                                CERT-Renater

                      Note d'Information No. 2012/VULN120
____________________________________________________________________

DATE                : 14/03/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Windows running
                       Microsoft Visual Studio version 2008, 2010.

======================================================================
KB2651019
http://technet.microsoft.com/en-us/security/bulletin/ms12-021
_______________________________________________________________________

Microsoft Security Bulletin MS12-021 - Important Vulnerability in
Visual Studio Could Allow Elevation of Privilege (2651019)

   Published: Tuesday, March 13, 2012

   Version: 1.0

General Information

Executive Summary

   This security update resolves one privately reported vulnerability in
   Visual Studio. The vulnerability could allow elevation of privilege if
   an attacker places a specially crafted add-in in the path used by
   Visual Studio and convinces a user with higher privileges to start
   Visual Studio. An attacker must have valid logon credentials and be
   able to log on locally to exploit this vulnerability. The vulnerability
   could not be exploited remotely or by anonymous users.

   This security update is rated Important for all supported editions of
   Microsoft Visual Studio 2008 and Microsoft Visual Studio 2010. For more
   information, see the subsection, Affected Software, in this section.

Affected Software
   Microsoft Visual Studio 2008 Service Pack 1
   Microsoft Visual Studio 2010
   Microsoft Visual Studio 2010 Service Pack 1

Vulnerability Information

Visual Studio Add-In Vulnerability - CVE-2012-0008

   An elevation of privilege vulnerability exists in Visual Studio due to
   the insecure loading of add-ins from within Visual Studio. An attacker
   who successfully exploited this vulnerability could run arbitrary code
   with elevated privileges. An attacker could then install programs;
   view, change, or delete data; or create new accounts with full user
   rights.


======================================================================

=========================================================
Les serveurs de référence du CERT-Renater
http://www.cru.fr/securite
http://www.renater.fr
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================