Security Bulletin

Microsoft Security Bulletin MS12-007 - Important

Vulnerability in AntiXSS Library Could Allow Information Disclosure (2607664)

Published: January 10, 2012 | Updated: January 16, 2012

Version: 2.1

General Information

Executive Summary

This security update resolves one privately reported vulnerability in the Microsoft Anti-Cross Site Scripting (AntiXSS) Library. The vulnerability could allow information disclosure if an attacker passes a malicious script to a website using the sanitization function of the AntiXSS Library. The consequences of the disclosure of that information depends on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.

This security update is rated Important for the AntiXSS Library V3.x and the AntiXSS Library V4.0. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The update addresses the vulnerability by upgrading the AntiXSS Library to a version that is not affected by the vulnerability. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. Microsoft Knowledge Base Article 2607664 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected.

Affected Software 

Software Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Anti-Cross Site Scripting Library V3.x and Microsoft Anti-Cross Site Scripting Library V4.0[1][2] Information Disclosure Important None

[1]This download upgrades Microsoft Anti-Cross Site Scripting (AntiXSS) Library to a newer version of the Microsoft Anti-Cross Site Scripting Library that is not affected by the vulnerability.

[2]This upgrade is available from the Microsoft Download Center only. Please see the next section, Frequently Asked Questions (FAQ) Related to This Security Update.

Why was this bulletin rereleased on January 11, 2012?
Microsoft rereleased this bulletin to announce that the original upgrade package, AntiXSS Library version 4.2, has been replaced with AntiXSS Library version 4.2.1. The new version resolves a naming issue that caused installation of the original upgrade package to fail in certain circumstances. All users of the AntiXSS Library will need to upgrade to AntiXSS Library version 4.2.1 to help ensure they are protected from the vulnerability described in this bulletin.

I am a developer using the AntiXSS Library. Do I just need the update on my system?
No. Developers who use the AntiXSS Library should install the upgrade described in this bulletin and then also deploy the updated library to all their active websites that use the AntiXSS Library.

Does this upgrade contain any security-related changes to functionality?
Yes. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, upgrading to a newer version of the AntiXSS Library (AntiXSS Library version 4.2.1) also changes functionality of how Cascading Style Sheets (CSS) are handled by the AntiXSS Library. HTML input to the sanitizer that contains styles, such as tags or attributes, will be stripped. For style tags, the contents of the tag will be left behind. This behaviour is consistent with the behavior for other invalid tags.

How do I upgrade my version of the AntiXSS Library?
Customers can obtain a newer version of the Microsoft Anti-Cross Site Scripting Library (AntiXSS Library version 4.2.1) that is not affected by the vulnerability by using the download link in the Affected Software table in the earlier section, Affected and Non-Affected Software.

Why is the upgrade only available from the Microsoft Download Center?
Microsoft is releasing the upgrade for the AntiXSS Library to the Microsoft Download Center only. Because developers deploy the updated library only to active websites that use the AntiXSS Library, other distribution methods, such as automatic updating, are not appropriate for this type of upgrade scenario.

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the January bulletin summary. For more information, see Microsoft Exploitability Index.

Affected Software AntiXSS Library Bypass Vulnerability - CVE-2012-0007 Aggregate Severity Rating
Microsoft Anti-Cross Site Scripting Library V3.x and Microsoft Anti-Cross Site Scripting Library V4.0 Important \ Information Disclosure Important

AntiXSS Library Bypass Vulnerability - CVE-2012-0007

An information disclosure vulnerability exists when the Microsoft Anti-Cross Site Scripting (AntiXSS) Library incorrectly sanitizes specially crafted HTML. An attacker who successfully exploited this vulnerability could perform a cross-site scripting (XSS) attack on a website that is using the AntiXSS Library to sanitize user provided HTML. This could allow an attacker to pass a malicious script through a sanitization function and expose information not intended to be disclosed. The consequences of the disclosure of this information depends on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to produce information that could be used in an attempt to further compromise the affected system.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2012-0007.

Mitigating Factors for AntiXSS Library Bypass Vulnerability - CVE-2012-0007

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • Only sites that use the sanitization module of the AntiXSS Library are affected by this vulnerability.

Workarounds for AntiXSS Library Bypass Vulnerability - CVE-2012-0007

Microsoft has not identified any workarounds for this vulnerability.

FAQ for AntiXSS Library Bypass Vulnerability - CVE-2012-0007

What is the scope of the vulnerability? 
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could pass a malicious script through a sanitization function and expose information not intended to be disclosed. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to gather information that could be used in an attempt to further compromise the affected system.

What causes the vulnerability? 
The vulnerability is the result of the Microsoft Anti-Cross Site Scripting (AntiXSS) Library incorrectly evaluating certain characters after a CSS escaped character is detected.

What is the Anti-Cross Site Scripting (AntiXSS) Library? 
The Microsoft Anti-Cross Site Scripting (AntiXSS) Library is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and then encoding anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes.

What might an attacker use the vulnerability to do? 
An attacker who successfully exploited this vulnerability could perform a cross-site scripting (XSS) attack on a website that is using the AntiXSS Library to sanitize user provided HTML. An attacker could then pass a malicious script through a sanitization function and expose information not intended to be disclosed. The consequences of the disclosure of that information depends on the nature of the information itself. Note that this vulnerability would not allow an attacker to execute code or to elevate the attacker's user rights directly, but it could be used to gather information that could be used in an attempt to further compromise the affected system.

How could an attacker exploit the vulnerability? 
To exploit this vulnerability, an attacker could send specially crafted HTML to a target website that is using the sanitization module of the AntiXSS Library. When the AntiXSS Library incorrectly sanitizes the HTML, malicious script contained within the specially crafted HTML could be run on the affected web server.

What systems are primarily at risk from the vulnerability? 
Web servers using the AntiXSS Library are at risk from this vulnerability.

What does the update do? 
The update addresses the vulnerability by upgrading the AntiXSS Library to a version that is not affected by the vulnerability.

When this security bulletin was issued, had this vulnerability been publicly disclosed? 
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support

  • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support website.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (January 10, 2012): Bulletin published.
  • V2.0 (January 11, 2012): Announced that the original upgrade package, AntiXSS Library version 4.2, has been replaced with AntiXSS Library version 4.2.1. All users of the AntiXSS Library will need to upgrade to AntiXSS Library version 4.2.1 to help ensure they are protected from the vulnerability described in this bulletin. See the update FAQ for more information.
  • V2.1 (January 16, 2012): Added a link to Microsoft Knowledge Base Article 2607664 under Known Issues in the Executive Summary. Also, revised entry in the update FAQ to clarify why the upgrade to AntiXSS Library version 4.2.1 is only available from the Microsoft Download Center.

Built at 2014-04-18T13:49:36Z-07:00