Microsoft Security Bulletin MS12-062 - Important

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

• In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

• Enable Internet Explorer 8 and Internet Explorer 9 XSS filter in the Local intranet security zone

  You can help protect against exploitation of this vulnerability by changing your settings to enable the XSS filter in the Local intranet security zone. (XSS filter is enabled by default in the Internet security zone.) To do this, perform the following steps:

  1. In Internet Explorer 8 or Internet Explorer 9, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Local intranet, and then click Custom level.
  4. Under Settings, in the Scripting section, under Enable XSS filter, click Enable, and then click OK.
  5. Click OK two times to return to Internet Explorer.

  Impact of workaround. Internal sites not previously flagged as being XSS risks could be flagged.

  How to undo the workaround.

  To undo this workaround, perform the following steps.

  1. In Internet Explorer 8 or Internet Explorer 9, click Internet Options on the Tools menu.
  2. Click the Security tab.
  3. Click Local intranet, and then click Custom level.
  4. Under Settings, in the Scripting section, under Enable XSS filter, click Disable, and then click OK.
  5. Click OK two times to return to Internet Explorer.

What is the scope of the vulnerability? 
This is a cross-site scripting vulnerability that could result in elevation of privilege.

What causes the vulnerability? 
This vulnerability is caused when System Center Configuration Manager improperly handles specially crafted requests that allow an attacker to gain access to System Center Configuration Manager and carry out the same actions as an authenticated user.

What is cross-site scripting? 
Cross-site scripting (XSS) is a class of security vulnerability that can enable an attacker to inject script code into a user's session with a website. The vulnerability can affect web servers that dynamically generate HTML pages. If these servers embed browser input in the dynamic pages that they send back to the browser, these servers can be manipulated to include maliciously supplied content in the dynamic pages. This can allow specially crafted script to be executed. Web browsers may perpetuate this problem through their assumptions of "trusted" sites and their use of cookies to maintain persistent state with the websites that they frequent. An XSS attack inserts new, specially crafted script that can execute at the browser in the context that is associated with a trusted server.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could inject a client-side script in the user's browser. The script could spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user.

How could an attacker exploit the vulnerability? 
An attacker could exploit this vulnerability by having a user visit an affected website by way of a specially crafted URL. This can be done through any medium that can contain URL web links that are controlled by the attacker, such as a link in an email, a link on a website, or a redirect on a website. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website by way of a specially crafted URL.

What systems are primarily at risk from the vulnerability? 
System Center Configuration Manager servers with users who are authorized to access the System Center Configuration Manager Admin UI are primarily at risk.

What does the update do? 
This update modifies the way that System Center Configuration Manager handles specially crafted requests.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.

Reference Table

The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.