This month’s Microsoft Patch Tuesday release is the lightest month in the past year. Not only did Microsoft release just two bulletins, but also both bulletins are rated Important. The last time Microsoft released bulletins as few as two was in May 2011.
In focus this month are two cross-site scripting vulnerabilities found in Visual Studio Team Foundation Server and System Center Configuration Manager 2003 and System Center Configuration Manager 2007. All are used in businesses mainly to facilitate collaboration and consumerization, respectively. And businesses stand to lose when vulnerable products used in a large scale are not patched immediately. Attackers have been using cross-site scripting vulnerabilities in their arsenal, one of the reasons attacks were successful and widespread in 2011.
Trend Micro Deep Security users are protected from cross-site scripting attacks with the rule 1000552 – Generic Cross Site Scripting(XSS) Prevention, which shipped in 2007. The bulletins are further discussed in this Threat Encyclopedia page.