On 10th july MS released a security patch to Fix the
Vulnerability in toStaticHTML API . This API is found in Internet Explorer 8,9, SharePoint and Lync. It is used to sanitize HTML fragments from
dynamic and potentially malicious content.
If an attacker is able to
break the filtering mechanism and pass malicious code through this function,
he/she may be able to perform HTML injection based attacks (i.e. XSS).
Microsoft has issued several updates to address this
vulnerability.
MS12-037 - http://technet.microsoft.com/en-us/security/bulletin/ms12-037 Published: Tuesday, June 12, 2012
MS12-039 - http://technet.microsoft.com/en-us/security/bulletin/ms12-039
Published: Tuesday, June 12, 2012
Note here after one month MS released one more update for
same Vulnerability.
MS12-050 - http://technet.microsoft.com/en-us/security/bulletin/MS12-050
Published: Tuesday, July 10, 2012
Now it’s very interesting that MS has Released it’s FIX for
IE & Lync on June 12 and for SharePoint it released it’s fix on July 10. So whoever has the knowledge that
this particular API is used in SharePoint also they had the full 1 month to
create the exploit and had a big window to Exploit this vulnerability on SharePoint.
Wondering what makes the MS to do that .Isn't that was a zero day for SharePoint??
No comments:
Post a Comment