Security Advisory - November 09, 2010

Zscaler Provides Immediate Vulnerability Protection During Microsoft’s Patch Cycle

 

 

Zscaler, working with Microsoft through their MAPPs program, has proactively deployed protections for six Microsoft Office and three Forefront Unified Access Gateway web based, client-side vulnerabilities included the November 2010 Microsoft security bulletins.  Zscaler customers licensed for the Advanced Threat Protection service are shielded from attack without the need to take further action. Zscaler will continue to monitor exploits associated with all vulnerabilities in the October release and deploy additional protections as necessary.

MS10-088 – Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution (2293386)

Severity: Critical
Affected Software

  • Microsoft Office XP
  • Microsoft Office 2003
  • Microsoft Office 2004 for Mac
  • Microsoft PowerPoint Viewer

CVE-2010-2572 - PowerPoint Parsing Buffer Overflow Vulnerability

Description: A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint 95 files.

CVE-2010-2573 - PowerPoint Integer Underflow Causes Heap Corruption Vulnerability

Description: A remote code execution vulnerability exists in the way that Microsoft PowerPoint handles specially crafted PowerPoint files.

MS10-089 – Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege (2316074)

Severity: Important
Affected Software

  • Forefront Unified Access Gateway 2010

CVE-2010-2733 - UAG XSS EOP Vulnerability

Description: A cross-site scripting (XSS) vulnerability exists in Forefront Unified Access Gateway (UAG) that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the UAG server in the context of the targeted user.

CVE-2010-2734 - XSS Issue on UAG Mobile Portal Website in Forefront Unified Access Gateway Vulnerability

Description: A cross-site scripting (XSS) vulnerability exists in Forefront Unified Access Gateway (UAG) that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the UAG server in the context of the targeted user.

CVE-2010-3936 - XSS in Signurl.asp Vulnerability

Description: A cross-site scripting (XSS) vulnerability exists in Forefront Unified Access Gateway (UAG) that could allow specially crafted script code to run under the guise of the server. This is a non-persistent cross-site scripting vulnerability that could allow an attacker to issue commands to the UAG server in the context of the targeted user.

MS10-087 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2423930)

Severity: Critical
Affected Software

  • Microsoft Office XP
  • Microsoft Office 2003
  • Microsoft Office 2007
  • Microsoft Office 2010
  • Microsoft Office 2004 for Mac
  • Microsoft Office 2008 for Mac
  • Microsoft Office 2011 for Mac
  • Open XML File Format Converter for Mac

CVE-2010-3333 - RTF Stack Buffer Overflow Vulnerability

Description: A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted Rich Text Format (RTF) formatted data.

CVE-2010-3334 - Office Art Drawing Records Vulnerabilities

Description: A remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files.

CVE-2010-3335 - Drawing Exception Handling Vulnerability

Description: A remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files.

CVE-2010-3336 - MSO Large SPID Read AV Vulnerability

Description: A remote code execution vulnerability exists in the way that Microsoft Office software parses specially crafted Office files.