c, It’s patching time; Microsoft released Patch Tuesday updates for September yesterday. Microsoft released only 2 updates and none of them marked critical. However, we should see an Microsoft Internet explorer soon, as they are working to incorporate the latest Flash update. Per a Patchmanagement.org post, Microsoft is working closely with Adobe to align release schedules as close as possible to ensure Flash Player in Windows 8 and IE10 are always secure. Updates are light all-around, compared to August. This month we have seen 3 updates to date from 3rd party application ISVs – Chrome, Firefox and Thunderbird.
The two Patch Tuesday updates address four issues in Visual Studio Team Foundation Server 2010 SP1, or Systems Management Server 2003 SP3 or System Center Configuration Manager 2007 SP2.
The security update resolves a cross-site scripting (XSS) vulnerability in Visual Studio Team Foundation Server that allows an attacker to inject a malicious script when user visits a specially crafted page using TFS Web access. The script on successful execution can give the attacker elevated privilege access to the user system.
MS12-062 Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege
This security update resolves vulnerability in Microsoft System Center Configuration Manager that allows elevation of privilege when the user visits a specially crafted URL. The attacker can pursue or force the users to click the URL, so users need to make sure they don’t click on malicious links.
Microsoft Security Advisories
- - Update Rollup for ActiveX Kill Bits.
- - Update For Minimum Certificate Key Length.
- - Unauthorized Digital Certificates Could Allow Spoofing.
- - Un-encapsulated MS-CHAP v2 Authentication Could Allow Information Disclosure.
- - Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution.
Microsoft released the above five security advisories for the month of September 2012, of which the update on ActiveX kill bits seems quite essential. The security advisory sets the kill bits for the following third-party software: Cisco Secure Desktop, Cisco Hostscan and Cisco AnyConnect Secure Mobility Client.
Click here to assess your environment against known vulnerabilities for which there is a patch – free for 30 days.