NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-040

DATE(S) ISSUED:
4/09/2013

SUBJECT:
Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (MS13-035)

OVERVIEW:

A vulnerability in Microsoft's HTML sanitization component used in Microsoft Office, SharePoint and Groove could allow elevation of privilege.  Microsoft's HTML sanitization component restricts the HTML to elements that can be safely displayed in a browser. Exploitation may occur if a user if a user visits a specially crafted website.  Successful exploitation could allow the attacker to read content or use the victim's identity to take actions on the targeted site or application.

SYSTEMS AFFECTED:

  • Microsoft InfoPath 2010
  • Microsoft SharePoint Server 2010
  • Microsoft Groove Server 2010
  • Microsoft SharePoint Foundation 2010
  • Microsoft Office Web Apps 2010

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A vulnerability in Microsoft's HTML sanitization component used in Microsoft Office, SharePoint and Groove could allow elevation of privilege.  This vulnerability is caused by the way HTML strings are sanitized.  Exploitation may occur if a user if a user visits a specially crafted website.  Successful exploitation could allow the attacker to read content or use the victim's identity to take actions on the targeted site or application..

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:
Microsoft:
https://technet.microsoft.com/en-us/security/bulletin/ms13-035

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1289
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2520