On 10th july MS released a security patch to Fix the Vulnerability in toStaticHTML API . This API is found in Internet Explorer 8,9, SharePoint and Lync. It is used to sanitize HTML fragments from dynamic and potentially malicious content.
If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be able to perform HTML injection based attacks (i.e. XSS).
Microsoft has issued several updates to address this vulnerability.
MS12-037 - http://technet.microsoft.com/en-us/security/bulletin/ms12-037 Published: Tuesday, June 12, 2012
MS12-039 - http://technet.microsoft.com/en-us/security/bulletin/ms12-039 Published: Tuesday, June 12, 2012
Note here after one month MS released one more update for same Vulnerability.
MS12-050 - http://technet.microsoft.com/en-us/security/bulletin/MS12-050 Published: Tuesday, July 10, 2012
Now it’s very interesting that MS has Released it’s FIX for IE & Lync on June 12 and for SharePoint it released it’s fix on July 10. So whoever has the knowledge that this particular API is used in SharePoint also they had the full 1 month to create the exploit and had a big window to Exploit this vulnerability on SharePoint.
Wondering what makes the MS to do that .Isn't that was a zero day for SharePoint??