Microsoft Internet Explorer and Sharepoint contain a flaw that may lead to an unspecified unauthorized information disclosure. This issue is triggered when the 'toStaticHTML()' method fails to properly sanitise HTML code. This may allow a remote attacker to conduct cross-site scripting attacks.

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

• CVE ID: 2010-1257 (see also: NVD)
• Microsoft Knowledge Base Article: 2028554 982381
• Secunia Advisory ID: 40062
• Related OSVDB ID: 65212 65213 65214 65215
• News Article: http://blogs.technet.com/b/msrc/archive/2010/06/03/june-2010-security-bulletin-advance-notification.aspx
  http://news.cnet.com/8301-27080_3-20006781-245.html
• Microsoft Security Bulletin: MS10-035 MS10-039
• CERT: TA10-159B

• Chris Weber - Casaba Security
• Takeshi Terada - Mitsui Bussan Secure Directions