Patch Analysis for September 2012

Two bulletins were released today correcting Cross Site Scripting (XSS) privilege elevation vulnerabilities. The patches are for Microsoft servers. The patch in MS12-061 addresses a vulnerability by correcting how the Visual Studio Team Foundation Server 2010 SP1 site validates input parameters. The patch in MS12-062 addresses a vulnerability by modifying the way that System Center Configuration Manager handles specially crafted requests. SMS 2003 SP3 and System Center Configuration Manager 2007 SP2 should get the patch. Newer versions are not affected. Both bulletins are rated important.
While servers need to be patched, users can protect themselves by adding XXS filtering to the local security zone in Internet Explorer.
I’ll be presenting a session entitled “Everything Matters: Every Setting, Every Component, Every Technology”  at SecuritySCAPE 2012 which is a really cool IT security virtual event, bringing together industry analysts, thought leaders and IT professionals into an online forum to share real-world experiences, best practices, and identify future trends and challenges that we will all face.  In addition to me you’ll hear from Neil MacDonald from Gartner Group, speakers from Aberdeen Group, Securosis, Forrester Research and security experts like Richard Stiennon.  Get the full details and sign up here: SecuritySCAPE 2012.  You might get an iPad 3, too!

Patch Tuesday Coverage Made Possible By: Lumension:  IT Secured.  Success Optimized.™

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS12-061

2719584
Privilege elevation

/ Visual Studio
Servers
No/NoNoImportant V Studio Team Fdn Svr 2010
 Patch after testing
MS12-062

2741528
Privilege elevation

/ Systems Center
Servers
No/NoNoImportant Systems Management Server 2003
System Center Config Mgr 2007
 Patch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.

 

Additional Resources