• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Minor Microsoft System Center Operations Manager XSS Vulnerabilities

January 8, 2013 By Corey Nachreiner

Besides all the Windows and Windows component-related bulletins from today, Microsoft also released a relatively minor bulletin about two cross-site scripting (XSS) vulnerabilities that affect Microsoft System Center Operations Manager (SCOM) 2007.

For those unaware of this specialized product, SCOM is a centralized, cross-platform management system for 0perating systems and hypervisors, targeted to data centers. It basically helps network operators monitor the health of all their systems, and offers these management capabilities via a web interface.

According to today’s security bulletin, SCOM’s web console suffers from two XSS vulnerabilities. If an attacker knows you use Microsoft SCOM, and can entice you to click on a specially crafted URL, she could exploit this flaw to execute script in your browsers with your privileges. Among other things, this could allow the attacker to do anything on your SCOM server that you could do.

I don’t suspect the majority of WatchGuard’s customers use SCOM, and even if you do, it’s relatively difficult for an attacker to know whether you use it or not. So I doubt many attackers will leverage this vulnerability in the wild. That said, if you do use SCOM, you should apply Microsoft’s update. Furthermore, if you use one of our XTM appliances with the IPS service, we have a signature (EXPLOIT Microsoft SCOM Web Console XSS Vulnerability) that detects this XSS attack. — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Uncategorized Tagged With: Microsoft, Microsoft Servers, Updates and patches

Comments

  1. pci monitoring says

    December 19, 2013 at 5:55 am

    Authorized individuals will be able to remedy this well-entrenched problem by standardising your data formats.
    Inc Research ReportOn June 3, 2013, Bristol-Myers Squibb
    Company NYSE: BMY, Keryx pci compliance data warehouse
    Biopharmaceuticals Inc. At the moment, your data may be spread across non-communicative, disparate systems;
    a good MDM data cleansing program will be able to access
    the files that needed to be stored and pci compliance data warehouse
    safeguarded. Inc Research ReportOn June 12, pci compliance data warehouse 2013, Bristol-Myers Squibb Company Research ReportOn June 12, 2013, Merck & Co.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use