Symptoms
This article describes a hotfix that resolves an issue in which unauthorized scripts can run on Microsoft BitLocker Administration and Monitoring (MBAM) webpages. Before you install the update, a script from a user (user A) can run on the computer of another user (user B). The script can run when user B views the MBAM hardware management webpage. The script can change the webpage. Or, the script can let user A perform actions in user B’s web browser.
Cause
This issue occurs because the MBAM hardware management webpage does not encode information before it is displayed on the webpage.
Resolution
Method 1
To resolve this issue, we recommend that you upgrade to MBAM 2.0 or a later version. For more information, go to the following Microsoft website:
Method 2
To resolve this issue, replace the hardware management webpage (Hardware.aspx) on the MBAM HelpDesk webpage by using a safe version of the Hardware.aspx file. To do this, follow these steps:
-
Download the package from the following Microsoft website:
Download the package now. -
In the .zip file package, extract the Hardware.aspx file that corresponds to the version of MBAM that is installed.
MBAM version
Fixed webpage
MBAM 1.0.1237.1
MBAM 1.0\Hardware.aspx
MBAM 1.0.2001.1
MBAM 1.0R1\Hardware.aspx
-
Locate the installation location of the MBAM HelpDesk website. To do this, use one of the following methods:
-
Locate the path of the website in the following Internet Information Services (IIS) root folder. This is the default location of the website:
C:\inetpub\Malta BitLocker Management Solution\Help Desk Website -
If the path of the website is not set, use the following registry key to locate the website installation location:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft BitLocker Administration and Monitoring\Setup\WebsiteInstallPath
-
-
Create a copy of the Hardware.aspx file in the MBAM HelpDesk website directory. Then, save the copy to a directory that is not related to the website. For example, save the copy on the desktop.
-
Replace the Hardware.aspx file in the MBAM HelpDesk website directory by using the Hardware.aspx file that you extracted.
Prerequisites
To apply this update, you must be running MBAM 1.0.
Registry information
To apply this update, you do not have to make any changes to the registry.
Restart requirement
You do not have to restart the computer after you apply this update.
Update replacement information
This update does not replace a previously released update.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.