Security Advisory - March 12, 2013
Zscaler Addresses Vulnerabilities in Microsoft Visio, OneNote, SharePoint and Internet Explorer in March 2013 Microsoft Patch Cycle
Zscaler, working with Microsoft through their MAPPs program has proactively deployed protections for the following 12 vulnerabilities included in the March 2013 Microsoft security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the March release and deploy additional protections as necessary.
MS13-024 – Vulnerabilities in SharePoint Could Allow Elevation of Privilege
- Microsoft SharePoint Server 2010 Service Pack 1
- Microsoft SharePoint Foundation 2010 Service Pack 1
CVE-2013-0080 Callback Function Vulnerability
CVE-2013-0083 SharePoint XSS Vulnerability
CVE-2013-0084 SharePoint Directory Traversal Vulnerability
Description: An elevation of privilege exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker, after obtaining sensitive system data, elevate their access to the server.
MS13-023 – Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution
- Microsoft Visio Viewer 2010 Service Pack 1 (32-bit Edition)
- Microsoft Visio Viewer 2010 Service Pack 1 (64-bit Edition)
- Microsoft Visio 2010 Service Pack 1 (32-bit Edition)
- Microsoft Visio 2010 Service Pack 1 (64-bit Edition)
- Microsoft Office 2010Filter Pack Service Pack 1 (32-bit Edition)
- Microsoft Office 2010Filter Pack Service Pack 1 (64-bit Edition)
CVE-2013-0079 Visio Viewer Tree Object Type Confusion Vulnerability
Description: A remote code execution vulnerability exists in the way that Microsoft Visio Viewer handles memory when rendering specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
MS13-021 – Cumulative Security Update for Internet Explorer
- Internet Explorer 6
- Internet Explorer 7
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
CVE-2013-0087 Internet Explorer OnResize Use After Free Vulnerability
CVE-2013-0088 Internet Explorer saveHistory Use After Free Vulnerability
CVE-2013-0089 Internet Explorer CMarkupBehaviorContext Use After Free Vulnerability
CVE-2013-0090 Internet Explorer CCaret Use After Free Vulnerability
CVE-2013-0091 Internet Explorer CElement Use After Free Vulnerability
CVE-2013-0092 Internet Explorer GetMarkupPtr Use After Free Vulnerability
CVE-2013-0093 Internet Explorer onBeforeCopy Use After Free Vulnerability
Description: The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.
MS13-025 – Vulnerability in Microsoft OneNote Could Allow Information Disclosure
- Microsoft OneNote 2010 Service Pack 1 (32-bit editions)
- Microsoft OneNote 2010 Service Pack 1 (64-bit editions)
CVE-2013-0086 Buffer Size Validation Vulnerability
Description: An information disclosure vulnerability exists in the way that Microsoft OneNote allocates memory from parsing a specially crafted OneNote (.ONE) file.