Actu
Zscaler Provides Protection for 7 New Microsoft Vulnerabilities and 4 Third Party Vulnerabilities
June 2010 by Zscaler
Zscaler,
working
with
Microsoft
through
their
MAPPs
program
has
proactively
deployed
protections
for
the
following
11
web
based,
client-?
side
attacks
included
in
the
June
2010
Microsoft
security
bulletins.
Zscaler
clients
are
protected
from
the
following
vulnerabilities
simply
by
leveraging
the
Zscaler
platform,
without
the
need
to
take
any
further
action.
MS10-?034
–
Cumulative
Security
Update
of
ActiveX
Kill
Bits
Severity:
Critical
Affected
Software
• Microsoft
Windows
2000
• Windows
XP
• Windows
Vista
• Windows
7
• Windows
Server
2003
• Windows
Server
2008
CVE-?2010-?0252
Microsoft
Data
Analyzer
ActiveX
Control
Vulnerability
Description:
A
remote
code
execution
vulnerability
in
the
Microsoft
Data
Analyzer
ActiveX
Control
could
lead
to
a
full
system
compromise,
should
a
victim
view
a
web
page
containing
a
maliciously
crafted
ActiveX
control
CVE-?2010-?0811
Microsoft
Internet
Explorer
8
Developer
Tools
Vulnerability
Description:
A
remote
code
execution
vulnerability
in
the
Microsoft
Internet
Explorer
8
Developer
Tools
ActiveX
Control
could
lead
to
a
full
system
compromise,
should
a
victim
view
a
web
page
containing
a
maliciously
crafted
ActiveX
control
Note:
Security
bulletin
MS10-?034
also
includes
kill-?bits
for
the
following
four,
third
party
applications,
which
include
vulnerable
ActiveX
controls.
Zscaler
is
also
monitoring
for/blocking
web
pages,
which
request
these
ActiveX
controls:
• Danske
Bank
– ?
Danske
eSec
o CLSID:
F6A56D95-?A3A3-?11D2-?AC26-?400000058481
• CA
– ?
Pest
Scan
o CLSID:
56393399-?041A-?4650-?94C7-?13DFCB1F4665
• Eastman
Kodak
Company
– ?
Ofoto
Upload
Manager
/
Kodak
Gallery
Easy
Upload
Manager
o CLISID:
6f750200-?1362-?4815-?A476-?88533DE61D0C
o CLISID:
6f750201-?1362-?4815-?A476-?88533DE61D0C
• Avaya
– ?
CallPilot
Unified
Messaging
o CLISID:
7F14A9EE-?6989-?11D5-?8152-?00C04F191FCA
MS10-?035
–
Cumulative
Security
Update
for
Internet
Explorer
Severity:
Critical
Affected
Software
• Internet
Explorer
6
• Internet
Explorer
7
• Internet
Explorer
8
CVE-?2010-?0255
Cross-?Domain
Information
Disclosure
Vulnerability
Description:
An
information
leakage
vulnerability
exists
in
the
way
that
Internet
Explorer
caches
data
which
could
expose
sensitive
data
to
third
parties
by
allowing
them
to
bypass
cross-?domain
restrictions.
CVE-?2010-?1257
toStaticHTML
Information
Disclosure
Vulnerability
Description:
An
information
leakage
vulnerability
exists
in
the
way
Internet
Explorer
handles
content
using
specific
strings
when
sanitizing
HTML.
This
vulnerability
could
be
leveraged
by
an
attacker
to
conduct
a
cross-?site
scripting
(XSS)
attack
against
a
victim,
on
sites
utilizing
the
toStaticHTML
API.
CVE-?2010-?1259
Uninitialized
Memory
Corruption
Vulnerability
Description:
A
remote
code
execution
vulnerability
can
be
triggered
when
Internet
Explorer
attempts
to
access
an
object
that
has
not
been
correctly
initialized
or
has
been
deleted.
CVE-?2010-?1262
Memory
Corruption
Vulnerability
Description:
A
remote
code
execution
vulnerability
can
be
triggered
when
Internet
Explorer
attempts
to
access
an
object
that
has
not
been
correctly
initialized
or
has
been
deleted.
MS10-?039
–
Vulnerabilities
in
Microsoft
SharePoint
Could
Allow
Elevation
of
Privilege
Severity:
Important
Affected
Software
• Microsoft
SharePoint
Services
3.0
• Microsoft
Office
InfoPath
2003
• Microsoft
Office
InfoPath
2007
• Microsoft
Office
SharePoint
Server
2007
CVE-?2010-?0817
Help.aspx
XSS
Vulnerability
Description:
A
cross-?site
scripting
(XSS)
vulnerability
exists
in
Microsoft
SharePoint
and
InfoPath
which
could
allow
an
attacker
to
execute
active
script
in
the
context
of
a
user
that
visited
a
vulnerable
web
page.
