Technical Information

Brief overview of the risk:
This security update resolves one privately reported vulnerability in Microsoft Dynamics AX Enterprise Portal. The vulnerability could allow elevation of privilege if a user clicks a specially crafted URL or visits a specially crafted website. In an email attack scenario, an attacker could exploit the vulnerability by sending an email message that contains the specially crafted URL to the user of the targeted Microsoft Dynamics AX Enterprise Portal site and by convincing the user to click the specially crafted URL. Internet Explorer 8 and Internet Explorer 9 users browsing to a Microsoft Dynamics AX Enterprise Portal site in the Internet Zone are at a reduced risk. By default, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 prevents this attack in the Internet Zone. However, the XSS Filter in Internet Explorer 8 and Internet Explorer 9 is not enabled by default in the Intranet Zone.
Detailed Information on the risk:
A cross-site scripting vulnerability exists in Microsoft Dynamics AX Enterprise Portal that could result in information disclosure or elevation of privilege if a user clicks a specially crafted URL that contains malicious JavaScript elements. Because of the vulnerability, when the malicious JavaScript is echoed back to the user’s browser, the resulting page could allow an attacker to issue Microsoft Dynamics AX Enterprise Portal commands in the context of the authenticated user on the targeted Microsoft Dynamics AX Enterprise Portal site.Further information on this exploit is available at : MS12-040