Besides all the Windows and Windows component-related bulletins from today, Microsoft also released a relatively minor bulletin about two cross-site scripting (XSS) vulnerabilities that affect Microsoft System Center Operations Manager (SCOM) 2007.
For those unaware of this specialized product, SCOM is a centralized, cross-platform management system for 0perating systems and hypervisors, targeted to data centers. It basically helps network operators monitor the health of all their systems, and offers these management capabilities via a web interface.
According to today’s security bulletin, SCOM’s web console suffers from two XSS vulnerabilities. If an attacker knows you use Microsoft SCOM, and can entice you to click on a specially crafted URL, she could exploit this flaw to execute script in your browsers with your privileges. Among other things, this could allow the attacker to do anything on your SCOM server that you could do.
I don’t suspect the majority of WatchGuard’s customers use SCOM, and even if you do, it’s relatively difficult for an attacker to know whether you use it or not. So I doubt many attackers will leverage this vulnerability in the wild. That said, if you do use SCOM, you should apply Microsoft’s update. Furthermore, if you use one of our XTM appliances with the IPS service, we have a signature (EXPLOIT Microsoft SCOM Web Console XSS Vulnerability) that detects this XSS attack. — Corey Nachreiner, CISSP (@SecAdept)
pci monitoring says
Authorized individuals will be able to remedy this well-entrenched problem by standardising your data formats.
Inc Research ReportOn June 3, 2013, Bristol-Myers Squibb
Company NYSE: BMY, Keryx pci compliance data warehouse
Biopharmaceuticals Inc. At the moment, your data may be spread across non-communicative, disparate systems;
a good MDM data cleansing program will be able to access
the files that needed to be stored and pci compliance data warehouse
safeguarded. Inc Research ReportOn June 12, pci compliance data warehouse 2013, Bristol-Myers Squibb Company Research ReportOn June 12, 2013, Merck & Co.