Microsoft issues work-around, advice for SharePoint zero-day
Disable SharePoint 2007 help, require admins to run IE8, says Microsoft advisory
Computerworld - Microsoft Corp. on Thursday urged SharePoint 2007 administrators to protect systems against a recently revealed zero-day vulnerability that could be exploited to steal company secrets.
The bug, which was disclosed Wednesday by the Swiss security consultancy High-Tech Bridge, could be used by attackers to pilfer confidential information from companies' SharePoint servers, which are widely used to power corporate intranets and enable internal collaboration.
Although the company acknowledged that it was working on a fix, it has not set a ship date for the update.
Instead, Microsoft offered an interim work-around that involved disabling access to SharePoint's help system by running a pair of commands from the command prompt. The commands modify the access control list (ACL), Windows' list of file access permissions.
"It's safe to assume the bug or at least the known [attack] vector, is in that area of the code," said Andrew Storms, director of security operations at nCircle Security.
Additionally, Microsoft recommended that administrators run Internet Explorer 8 (IE8), which includes a cross-site scripting filter that can reduce the exploit risk. Administrators will need to modify IE8's settings, however, to switch on the filter for the Local Intranet security zone of the browser, since it's off by default.
Network administrators can also use group policies to enable the filter in the Local Intranet Zone for all IE8 users, Microsoft added.
Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), cautioned administrators to watch where they click. "If you are an admin on SharePoint server, don't click on any emailed suspicious links to server," Ness said via Twitter yesterday. SharePoint administrators would likely be targeted, since they have broader access to the server's data, and its settings, than an everyday user.
Microsoft doesn't rank vulnerabilities it hasn't patched, but Storms said the threat was minor for the moment. "Pretty low risk at this time, given the user interaction required and the intel required to target the victim," he said in an interview conducted over instant messaging.
Only SharePoint Server 2007 and SharePoint Services 3.0 contain the vulnerability. The newer SharePoint Server 2010 -- which made its release to manufacturing (RTM) milestone earlier this month but won't officially launch until May 12 when it debuts alongside Office 2010 -- is immune to this attack.
The last time Microsoft had to patch SharePoint was in October 2007, when the company issued its MS07-059 security update. "For an app that's supposedly rather popular, I'm surprised more people haven't found more bugs in it, [considering] what's usually stored in SharePoint, such as the company's confidential documents," said Storms.
Microsoft's next regularly scheduled Patch Tuesday is May 11.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Social Business in Computerworld's Social Business Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Shifting Gears: The Value of Customer-Driven Quality in Manufacturing In today's competitive manufacturing market, the customer must be the center of the quality universe. This paper details how manufacturers can improve customer...
- Unlocking the Promise of Demand Sensing and Shaping through Big Data Analytics Many organizations have limited insight into big data. These limitations have significant opportunity costs and can have a negative effect on identifying and...
- The Brave New World of Customer-Centric Manufacturing The Unique Opportunity for Manufacturers to Better Understand their Consumers
- AIIM SharePoint Industry Watch AIIM surveyed its 65,000 community members to look at how the enterprise is reacting to social aspects, why organizations are exploring social, who...
- Creating a Smarter Workforce for Market Leadership IBM executives, clients and industry experts will discuss how leading companies are building a smarter workforce and why it is key to an...
- Secrets to Corporate Communications Success Watch this 60-minute webinar to discover how how other companies are successfully creating advocates out of their employees and help them to better... All Social Business White Papers | Webcasts