Vulnerabilities in SafeHTML Could Allow Information Disclosure (2412048)

Published: October 12, 2010

Version: 1.0

General Information

Executive Summary

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft SharePoint and Windows SharePoint Services. The vulnerabilities could allow information disclosure if an attacker submits specially crafted script to a target site using SafeHTML.

This security update is rated Important for Microsoft SharePoint Services 3.0, Microsoft SharePoint Foundation 2010, and Microsoft Office Web Apps; and all supported editions of Microsoft Office SharePoint Server 2007, and Microsoft Groove Server 2010. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The update addresses the vulnerabilities by modifying the way that SafeHTML sanitizes HTML content. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity

http://www.microsoft.com/technet/security/bulletin/MS10-072.mspx