Patch Analysis for September 2012
Two bulletins were released today correcting Cross Site Scripting (XSS) privilege elevation vulnerabilities. The patches are for Microsoft servers. The patch in MS12-061 addresses a vulnerability by correcting how the Visual Studio Team Foundation Server 2010 SP1 site validates input parameters. The patch in MS12-062 addresses a vulnerability by modifying the way that System Center Configuration Manager handles specially crafted requests. SMS 2003 SP3 and System Center Configuration Manager 2007 SP2 should get the patch. Newer versions are not affected. Both bulletins are rated important.
While servers need to be patched, users can protect themselves by adding XXS filtering to the local security zone in Internet Explorer.
I’ll be presenting a session entitled “Everything Matters: Every Setting, Every Component, Every Technology” at SecuritySCAPE 2012 which is a really cool IT security virtual event, bringing together industry analysts, thought leaders and IT professionals into an online forum to share real-world experiences, best practices, and identify future trends and challenges that we will all face. In addition to me you’ll hear from Neil MacDonald from Gartner Group, speakers from Aberdeen Group, Securosis, Forrester Research and security experts like Richard Stiennon. Get the full details and sign up here
: SecuritySCAPE 2012. You might get an iPad 3, too!
Patch Tuesday Coverage Made Possible By: Lumension: IT Secured. Success Optimized.™
|System Types Affected||Exploit|
/ Being exploited?
|MS severity rating||Products Affected||Notes||Randy's recommendation|
|Privilege elevation |
/ Visual Studio
|Servers ||No/No||No||Important ||V Studio Team Fdn Svr 2010 || ||Patch after testing|
|Privilege elevation |
/ Systems Center
|Servers ||No/No||No||Important ||Systems Management Server 2003|
System Center Config Mgr 2007
| ||Patch after testing|
Receive Randy's same-day, independent analysis each Patch Tuesday
We will not share your address. Unsubscribe anytime.
"Thank you. I am very glad I subscribed to this newsletter.
Relevant content clearly and concisely. Finally!!!"
- John K.
"I really like the Fast Facts on this Month's Microsoft
Security Bulletins. Do you keep old copies? If yes, please let me know how I can
"Thanks, Randy. Your regular updates have streamlined my
monthly patching. Much appreciated,"
- Steve T.
"Really appreciate your patch observor. In the corporate
IT world, anything we can get our hands on that speeds the process of analyzing
threats and how they may or may not apply to our environments is a God-send.
Thanks so much for your efforts."
- Tess G.
"Many thanks for this Randy"
- Roger G.
"The chart is a REAAALLY good idea :)"
- Phil J.
"I like the table. Your insight is very valuable. "
"I liked your high level overview of patches in the
table. There are so many sources of patch information which can be very specific
or surrounded by other stuff that it’s refreshing to get everything summarised
like this. The “Randy’s Recommendation” comment is useful starting point too.
Please keep up the good work."
- David A.
"Your Patch Observer is a very good tool in
making the decision whether to patch or not to patch. And also to patch asap or
to wait a while before patching. Also I do think the use of the table is realy
improving the readability of the provided information."
- Gerard T.