Security Advisory - June 08, 2010
Zscaler Provides Protection for 7 New Microsoft Vulnerabilities and 4 Third Party Vulnerabilities
Zscaler, working with Microsoft through their MAPPs program, has proactively deployed protections for the following 11 web based, client-side attacks included in the June 2010 Microsoft security bulletins. Zscaler clients are protected from the following vulnerabilities simply by leveraging the Zscaler platform, without the need to take any further action.
MS10-034 – Cumulative Security Update of ActiveX Kill Bits
Severity: Critical
Affected Software
- Microsoft Windows 2000
- Windows XP
- Windows Vista
- Windows 7
- Windows Server 2003
- Windows Server 2008
CVE-2010-0252 - Microsoft Data Analyzer ActiveX Control Vulnerability
Description: A remote code execution vulnerability in the Microsoft Data Analyzer ActiveX Control could lead to a full system compromise, should a victim view a web page containing a maliciously crafted ActiveX control
CVE-2010-0811 - Microsoft Internet Explorer 8 Developer Tools Vulnerability
Description: A remote code execution vulnerability in the Microsoft Internet Explorer 8 Developer Tools ActiveX Control could lead to a full system compromise, should a victim view a web page containing a maliciously crafted ActiveX control
Note: Security bulletin MS10-034 also includes kill-bits for the following four, third party applications, which include vulnerable ActiveX controls. Zscaler is also monitoring for/blocking web pages, which request these ActiveX controls:
- Danske Bank - Danske eSec
- CLSID: F6A56D95-A3A3-11D2-AC26-400000058481
- CA - Pest Scan
- CLSID: 56393399-041A-4650-94C7-13DFCB1F4665
- Eastman Kodak Company - Ofoto Upload Manager / Kodak Gallery Easy Upload Manager
- CLISID: 6f750200-1362-4815-A476-88533DE61D0C
- CLISID: 6f750201-1362-4815-A476-88533DE61D0C
- Avaya - CallPilot Unified Messaging
- CLISID: 7F14A9EE-6989-11D5-8152-00C04F191FCA
MS10-035 – Cumulative Security Update for Internet Explorer
Severity: Critical
Affected Software
- Internet Explorer 6
- Internet Explorer 7
- Internet Explorer 8
CVE-2010-0255 - Cross-Domain Information Disclosure Vulnerability
Description: An information leakage vulnerability exists in the way that Internet Explorer caches data which could expose sensitive data to third parties by allowing them to bypass cross-domain restrictions.
CVE-2010-1257 - toStaticHTML Information Disclosure Vulnerability
Description: An information leakage vulnerability exists in the way Internet Explorer handles content using specific strings when sanitizing HTML. This vulnerability could be leveraged by an attacker to conduct a cross-site scripting (XSS) attack against a victim, on sites utilizing the toStaticHTML API.
CVE-2010-1259 - Uninitialized Memory Corruption Vulnerability
Description: A remote code execution vulnerability can be triggered when Internet Explorer attempts to access an object that has not been correctly initialized or has been deleted.
CVE-2010-1262 - Memory Corruption Vulnerability
Description: A remote code execution vulnerability can be triggered when Internet Explorer attempts to access an object that has not been correctly initialized or has been deleted.
MS10-039 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege
Severity: Important
Affected Software
- Microsoft SharePoint Services 3.0
- Microsoft Office InfoPath 2003
- Microsoft Office InfoPath 2007
- Microsoft Office SharePoint Server 2007
CVE-2010-0817 - Help.aspx XSS Vulnerability
Description: A cross-site scripting (XSS) vulnerability exists in Microsoft SharePoint and InfoPath which could allow an attacker to execute active script in the context of a user that visited a vulnerable web page.
Note: Zscaler has always provided cross-site scripting (XSS) protection against all vulnerable websites. Therefore, Zscaler customers have always been protected against this and similar vulnerabilities in all web sites.