CVE-2011-1280

Name of the Vulnerable Software and Affected Versions Microsoft InfoPath versions 2007 SP2 through 2010 SQL Server versions 2005 SP3 through 2008 R2 SQL Server Management Studio Express (SSMSE) version 2005 Visual Studio versions 2005 SP1 through 2010

Description An issue exists in the way Microsoft XML Editor handles external entities, allowing remote attackers to read arbitrary files via a crafted .disco (Web Service Discovery) file. This is related to the handling of specially crafted XML files, which can lead to information disclosure.

Recommendations For Microsoft InfoPath versions 2007 SP2 through 2010, update to a version that properly handles external entities. For SQL Server versions 2005 SP3 through 2008 R2, update to a version that properly handles external entities. For SQL Server Management Studio Express (SSMSE) version 2005, update to a version that properly handles external entities. For Visual Studio versions 2005 SP1 through 2010, update to a version that properly handles external entities. As a temporary workaround, consider restricting access to the XML Editor to minimize the risk of exploitation.