Friday, July 13, 2012

SharePoint left naked for one month by HTML Sanitization Vulnerability - CVE-2012-1858

On 10th july MS released a security patch to Fix the Vulnerability in toStaticHTML API . This API  is found in Internet Explorer  8,9,  SharePoint and Lync. It  is used to sanitize HTML fragments from dynamic and potentially malicious content.
If an attacker is able to break the filtering mechanism and pass malicious code through this function, he/she may be able to perform HTML injection based attacks (i.e. XSS).
Microsoft has issued several updates to address this vulnerability.
MS12-037 -  Published: Tuesday, June 12, 2012
MS12-039 - Published: Tuesday, June 12, 2012
Note here after one month MS released one more update for same Vulnerability.
MS12-050 - Published: Tuesday, July 10, 2012
Now it’s very interesting that MS has Released it’s FIX for IE & Lync on June 12 and for SharePoint it released it’s fix on  July 10. So whoever has the knowledge that this particular API is used in SharePoint also they had the full 1 month to create the exploit and had a big window to Exploit this vulnerability on SharePoint.
Wondering what makes the MS to do that .Isn't that was a zero day for SharePoint??

No comments:

Post a Comment