Microsoft Visual Studio XML Editor External Entity Resolution Flaw Lets Remote Users Obtain Potentially Sensitive Information
|
SecurityTracker Alert ID: 1025647 |
SecurityTracker URL: http://securitytracker.com/id/1025647
|
CVE Reference:
CVE-2011-1280
(Links to External Site)
|
Updated: Aug 10 2011
|
Original Entry Date: Jun 14 2011
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2005 SP1, 2008 SP1, 2010
|
Description:
A vulnerability was reported in Microsoft Visual Studio. A remote user can obtain the contents of files on the target system.
A remote user can create a specially crafted Web Service Discovery (.disco) file that, when opened by the target user with the XML editor, will allow the remote user to obtain the contents of a file on the target user's system.
Jesse Ou of Cigital reported this vulnerability.
|
Impact:
A remote user can obtain the contents of files on the target system.
|
Solution:
The vendor has issued the following fixes:
Microsoft Visual Studio 2005 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=e5ce8a9a-e89b-4095-9f21-7e6f307fbf2b
Microsoft Visual Studio 2008 Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=cc01bce9-3f38-4590-9c6e-a4048c886d33
Microsoft Visual Studio 2010:
http://www.microsoft.com/downloads/details.aspx?familyid=213b820f-dcba-4895-b339-b50eeb92524d
A restart may be required.
[Editor's note: On August 9, 2011, Microsoft re-issued their Bulletin to report a detection change to the update for Microsoft Visual Studio 2005 SP1. Users that have successfully updated do not need to reinstall this update.]
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms11-049.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms11-049.mspx (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|