XSS Vulnerabilities Addressed by Microsoft’s September 2012 Updates
Microsoft has issued two security bulletins as part of its September 2012 Patch Tuesday release. One noteworthy fact is that the company hasn’t made available so few bulletins since May 2011.
The first bulletin – rated as Important - addresses a cross-site scripting (XSS) security hole present in Visual Studio Team Foundation Server.
Another Important XSS flaw has been identified in Microsoft System Center Configuration Manager, affecting Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2.
Trend Micro researchers highlight the fact that such vulnerabilities have been utilized successfully on numerous occasions, several such attacks being recorded in 2011.
As always, Microsoft customers are advised to apply the updates as soon as possible to ensure that they’re systems are protected. Fortunately for users, the bulletins don’t require that they restart their computers.
Attacks that leverage these vulnerabilities haven’t been recorded so far, but that doesn’t mean they will not be launched in the future, which is why its highly recommended that the updates are applied.
The Redmond company also took this opportunity to remind everyone of the fact that the October updates would come with a major security improvement. The use of RSA keys with a length less than 1024 bits will be restricted.
“For those who find they are using certificates with RSA key lengths of less than 1024 bits, those certificates will be required to be reissued with at least a 1024-bit key length. (1024 should, by the way, be considered a minimum length; the most up-to-date security practices recommend 2048 bits or even better),” Angela Gunn of Trustworthy Computing explained.
Here’s this month’s video in which Yunsun Wee provides further details regarding the two bulletins and the improvements made with the upcoming update: