Microsoft’s September Patch Tuesday closes important XSS holes

Microsoft’s September Patch Tuesday closes important XSS holes.

Microsoft iconOn its September Patch Tuesday, Microsoft released two security updates that are rated as important and which close holes in Visual Studio Team Foundation Server 2010 (TFS) and Systems Management Server 2003 and 2007. Both updates fix cross-site scripting (XSS) vulnerabilities in the web interfaces that allow attackers to execute arbitrary code in the victim’s browser.

As the holes enable an attacker to access the web interfaces at the user’s privilege level, Microsoft has classified them as privilege escalation vulnerabilities. The company notes that, to its knowledge, neither of the holes is being actively exploited for attacks.

Microsoft has also published a number of other patches for Windows, Windows Server and the Malicious Software Removal Tool; it considers these to be non-security-related. The company notes that, unlike its other September updates, users may have to restart their computers after installing these. The updates include a new set of ActiveX kill bits to prevent vulnerable Cisco plugins running.

While this Patch Day has turned out to be moderate, the next one may have far-reaching consequences: in October, Microsoft will use Windows Update to deploy a patch that willinvalidate any certificates with an RSA private key length of less than 1,024 bits. Those who manage infrastructures that use such certificates should, therefore, replace them with certificates whose private key has the required minimum length before then. NIST currently recommendsPDF an RSA key length of at least 2,048 bits.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s