Security Advisory - October 09, 2012

Zscaler Protects Against Latest Microsoft’s Patch Cycle

 

 

Zscaler, working with Microsoft through their MAPPs program has proactively deployed protections for the following web based, client-side vulnerability included in the October 2012 Microsoft security bulletins. Zscaler will continue to monitor exploits associated with all vulnerabilities in the October release and deploy additional protections as necessary.

MS12-064 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2742319)
Severity: Critical
Affected Software

  • Microsoft Office 2003
  • Microsoft Office 2007
  • Microsoft Office 2010
  • Microsoft Word Viewer
  • Microsoft Office Compatibility Pack
  • Microsoft SharePoint Server 2010
  • Microsoft Office Web Apps 2010

CVE-2012-0182 - Word PAPX Section Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that Microsoft Word handles specially crafted Word files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVE-2012-2528 - RTF File listid Use-After-Free Vulnerability
Description: A remote code execution vulnerability exists in the way that Microsoft Office handles specially crafted RTF files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS12-065 – Vulnerability in Microsoft Works Could Allow Remote Code Execution (KB2754670)
Severity: Critical
Affected Software

  • Microsoft Works 9

CVE-2012-2550 - Works Heap Vulnerability
Description: A remote code execution vulnerability exists in the way that affected versions of Microsoft Works parse specially crafted Word files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights

MS12-070 – Vulnerability in SQL Server Could Allow Elevation of Privilege (2754849)
Severity: Critical
Affected Software

  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2008
  • Microsoft SQL Server 2012

CVE-2012-2552 - Reflected XSS Vulnerability
Description
: A reflected XSS vulnerability exists in SQL Server Report Manager that could allow an attacker to inject a client-side script into the user's instance of Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the site on behalf of the targeted user.