==================================================================== CERT-Renater Note d'Information No. 2012/VULN403 ____________________________________________________________________ DATE : 10/10/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Microsoft InfoPath versions 2007, 2010, Microsoft Communicator version 2007, Microsoft Lync version 2010, Microsoft SharePoint Server version 2007, 2010, Microsoft Groove Server version 2010, Microsoft Windows SharePoint Services version 3.0, Microsoft SharePoint Foundation version 2010, Microsoft Office Web Apps version 2010. ====================================================================== KB2741517 http://technet.microsoft.com/en-us/security/bulletin/MS12-066 ______________________________________________________________________ Microsoft Security Bulletin MS12-066 - Important Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2741517) Published Date: October 9, 2012 Version: 1.0 General Information Executive Summary This security update resolves a publicly disclosed vulnerability in Microsoft Office, Microsoft Communications Platforms, Microsoft Server software, and Microsoft Office Web Apps. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user. This security update is rated Important for supported editions of Microsoft InfoPath 2007, Microsoft InfoPath 2010, Microsoft Communicator 2007 R2, Microsoft Lync 2010, Microsoft Lync 2010 Attendee, Microsoft SharePoint Server 2007, Microsoft SharePoint Server 2010, Microsoft Groove Server 2010, Microsoft SharePoint Windows Services 3.0, Microsoft SharePoint Foundation 2010, and Microsoft Office Web Apps 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section. Affected Software Microsoft InfoPath 2007 Service Pack 2 Microsoft InfoPath 2007 Service Pack 3 Microsoft InfoPath 2010 Service Pack 1 (32-bit editions) Microsoft InfoPath 2010 Service Pack 1 (64-bit editions) Microsoft Communicator 2007 R2 Microsoft Lync 2010 (32-bit) Microsoft Lync 2010 (64-bit) Microsoft Lync 2010 Attendee (admin level install) Microsoft SharePoint Server 2007 Service Pack 2 (32-bit editions) Microsoft SharePoint Server 2007 Service Pack 3 (32-bit editions) Microsoft SharePoint Server 2007 Service Pack 2 (64-bit editions) Microsoft SharePoint Server 2007 Service Pack 3 (64-bit editions) Microsoft SharePoint Server 2010 Service Pack 1 Microsoft Groove Server 2010 Service Pack 1 Microsoft Windows SharePoint Services 3.0 Service Pack 2 (32-bit version) Microsoft Windows SharePoint Services 3.0 Service Pack 2 (64-bit version) Microsoft SharePoint Foundation 2010 Service Pack 1 Microsoft Office Web Apps 2010 Service Pack 1 Vulnerability Information HTML Sanitization Vulnerability - CVE-2012-2520 An elevation of privilege vulnerability exists in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user. ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================