ゼットスケーラーのセキュリティアドバイザリ

セキュリティ アドバイザリー - March 12, 2013

Zscaler Addresses Vulnerabilities in Microsoft Visio, OneNote, SharePoint and Internet Explorer in March 2013 Microsoft Patch Cycle

Zscaler, working with Microsoft through their MAPPs program has proactively deployed protections for the following 12 vulnerabilities included in the March 2013 Microsoft security bulletins.  Zscaler will continue to monitor exploits associated with all vulnerabilities in the March release and deploy additional protections as necessary.

MS13-024 – Vulnerabilities in SharePoint Could Allow Elevation of Privilege

Severity: Critical
Affected Software

  • Microsoft SharePoint Server 2010 Service Pack 1
  • Microsoft SharePoint Foundation 2010 Service Pack 1

CVE-2013-0080 Callback Function Vulnerability

CVE-2013-0083 SharePoint XSS Vulnerability

CVE-2013-0084 SharePoint Directory Traversal Vulnerability

Description: An elevation of privilege exists in Microsoft SharePoint Server.  An attacker who successfully exploited this vulnerability could allow an attacker, after obtaining sensitive system data, elevate their access to the server.

MS13-023 – Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

Severity: Critical
Affected Software

  • Microsoft Visio Viewer 2010 Service Pack 1 (32-bit Edition)
  • Microsoft Visio Viewer 2010 Service Pack 1 (64-bit Edition)
  • Microsoft Visio 2010 Service Pack 1 (32-bit Edition)
  • Microsoft Visio 2010 Service Pack 1 (64-bit Edition)
  • Microsoft Office 2010Filter Pack Service Pack 1 (32-bit Edition)
  • Microsoft Office 2010Filter Pack Service Pack 1 (64-bit Edition)

CVE-2013-0079 Visio Viewer Tree Object Type Confusion Vulnerability

Description: A remote code execution vulnerability exists in the way that Microsoft Visio Viewer handles memory when rendering specially crafted Visio files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

MS13-021 – Cumulative Security Update for Internet Explorer

Severity: Critical
Affected Software

  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10

CVE-2013-0087 Internet Explorer OnResize Use After Free Vulnerability

CVE-2013-0088 Internet Explorer saveHistory Use After Free Vulnerability

CVE-2013-0089 Internet Explorer CMarkupBehaviorContext Use After Free Vulnerability

CVE-2013-0090 Internet Explorer CCaret Use After Free Vulnerability

CVE-2013-0091 Internet Explorer CElement Use After Free Vulnerability

CVE-2013-0092 Internet Explorer GetMarkupPtr Use After Free Vulnerability

CVE-2013-0093 Internet Explorer onBeforeCopy Use After Free Vulnerability

Description: The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.

MS13-025 – Vulnerability in Microsoft OneNote Could Allow Information Disclosure

Severity: Critical
Affected Software

  • Microsoft OneNote 2010 Service Pack 1 (32-bit editions)
  • Microsoft OneNote 2010 Service Pack 1 (64-bit editions)

CVE-2013-0086 Buffer Size Validation Vulnerability

Description: An information disclosure vulnerability exists in the way that Microsoft OneNote allocates memory from parsing a specially crafted OneNote (.ONE) file.