Internet Security Systems - AlertCon(TM)

September 2011 Microsoft Super Tuesday

Posted by Shane Garrett on September 13, 2011 at 1:45 PM EDT.

Microsoft’s September Super Tuesday update was fairly small and best of all, none of the updates were rated critical. 


The SharePoint update (MS11-074, rated important) contained the largest number of addressed CVEs.  Four of the six vulnerabilities regarded cross-site-scripting in SharePoint 2010.  These vulnerabilities would allow an attacker to inject script code into a rendered SharePoint page allowing an escalation of privilege.   The other two are classified as information disclosure vulnerabilities.  One of which, CVE-2010-1252 was publicly disclosed.  It regarded evasion of the toStaticHTML() function's sanitization due to the expansion of special characters.


A number of vulnerabilities addressed in Microsoft Office software that could lead to code execution when opening specially crafted files.  The Excel bulletin (MS11-072, rated important), covers updates to address five remote code execution vulnerabilities in Excel when parsing specially crafted files.  The Office bulletin (MS11-073, also rated important) covers another one.  All of these vulnerabilities were privately disclosed but since these formats are a rich target for malware, applying the updates quickly as a prophylactic measure against exploits derived from post-release patch-diffing is recommended. 


As a side note, the fixed vulnerability in WINS (MS11-070) is a local and cannot be exploited over the network.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.