Microsoft Patch Tuesday – September 2012

Hello, welcome to this month’s blog on the Microsoft patch release. This month the vendor is releasing two bulletins covering a total of two vulnerabilities. None of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available
  • Run all software with the least privileges required while still maintaining functionality
  • Avoid handling files from unknown or questionable sources
  • Never visit sites of unknown or questionable integrity
  • Block external access at the network perimeter to all key systems unless specific access is required

Microsoft's summary of the September releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms12-Sep

The following is a breakdown of the issues being addressed this month:

  1. MS12-061 Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege

    XSS Vulnerability (CVE-2012-1892) MS Rating: Important

    A cross-site scripting (XSS) vulnerability exists in Visual Studio Team Foundation Server that could allow an attacker to inject a client-side script into the user's instance of Internet Explorer or any Web browser using TFS Web access. The script could spoof content, disclose information, or take any action that the user could take on the site on behalf of the targeted user.

  2. MS12-062 Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege

    Reflected XSS Vulnerability (CVE-2012-2536) MS Rating: Important

    A cross-site scripting (XSS) vulnerability exists in System Center Configuration Manager where code can be injected back to the user in the resulting page, effectively allowing attacker-controlled code to run in the context of the user clicking the link.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.