Security Advisory - June 08, 2010

Zscaler, working with Microsoft through their MAPPs program, has proactively deployed protections for the following 11 web based, client-side attacks included in the June 2010 Microsoft security bulletins. Zscaler clients are protected from the following vulnerabilities simply by leveraging the Zscaler platform, without the need to take any further action.

MS10-034 – Cumulative Security Update of ActiveX Kill Bits

Severity: Critical
Affected Software

• Microsoft Windows 2000
• Windows XP
• Windows Vista
• Windows 7
• Windows Server 2003
• Windows Server 2008

CVE-2010-0252 - Microsoft Data Analyzer ActiveX Control Vulnerability

Description: A remote code execution vulnerability in the Microsoft Data Analyzer ActiveX Control could lead to a full system compromise, should a victim view a web page containing a maliciously crafted ActiveX control

CVE-2010-0811 - Microsoft Internet Explorer 8 Developer Tools Vulnerability

Description: A remote code execution vulnerability in the Microsoft Internet Explorer 8 Developer Tools ActiveX Control could lead to a full system compromise, should a victim view a web page containing a maliciously crafted ActiveX control

Note: Security bulletin MS10-034 also includes kill-bits for the following four, third party applications, which include vulnerable ActiveX controls. Zscaler is also monitoring for/blocking web pages, which request these ActiveX controls:

• Danske Bank - Danske eSec
  • CLSID: F6A56D95-A3A3-11D2-AC26-400000058481
• CA - Pest Scan
  • CLSID: 56393399-041A-4650-94C7-13DFCB1F4665
• Eastman Kodak Company - Ofoto Upload Manager / Kodak Gallery Easy Upload Manager
  • CLISID: 6f750200-1362-4815-A476-88533DE61D0C
  • CLISID: 6f750201-1362-4815-A476-88533DE61D0C
• Avaya - CallPilot Unified Messaging
  • CLISID: 7F14A9EE-6989-11D5-8152-00C04F191FCA

MS10-035 – Cumulative Security Update for Internet Explorer

Severity: Critical
Affected Software

• Internet Explorer 6
• Internet Explorer 7
• Internet Explorer 8

CVE-2010-0255 - Cross-Domain Information Disclosure Vulnerability

Description: An information leakage vulnerability exists in the way that Internet Explorer caches data which could expose sensitive data to third parties by allowing them to bypass cross-domain restrictions.

CVE-2010-1257 - toStaticHTML Information Disclosure Vulnerability

Description: An information leakage vulnerability exists in the way Internet Explorer handles content using specific strings when sanitizing HTML. This vulnerability could be leveraged by an attacker to conduct a cross-site scripting (XSS) attack against a victim, on sites utilizing the toStaticHTML API.

CVE-2010-1259 - Uninitialized Memory Corruption Vulnerability

Description: A remote code execution vulnerability can be triggered when Internet Explorer attempts to access an object that has not been correctly initialized or has been deleted.

CVE-2010-1262 - Memory Corruption Vulnerability

Description: A remote code execution vulnerability can be triggered when Internet Explorer attempts to access an object that has not been correctly initialized or has been deleted.

MS10-039 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege

Severity: Important
Affected Software

• Microsoft SharePoint Services 3.0
• Microsoft Office InfoPath 2003
• Microsoft Office InfoPath 2007
• Microsoft Office SharePoint Server 2007

CVE-2010-0817 - Help.aspx XSS Vulnerability

Description: A cross-site scripting (XSS) vulnerability exists in Microsoft SharePoint and InfoPath which could allow an attacker to execute active script in the context of a user that visited a vulnerable web page.

Note: Zscaler has always provided cross-site scripting (XSS) protection against all vulnerable websites. Therefore, Zscaler customers have always been protected against this and similar vulnerabilities in all web sites.