Microsoft issues work-around, advice for SharePoint zero-day
Disable SharePoint 2007 help, require admins to run IE8, says Microsoft advisory
Computerworld - Microsoft Corp. on Thursday urged SharePoint 2007 administrators to protect systems against a recently revealed zero-day vulnerability that could be exploited to steal company secrets.
The bug, which was disclosed Wednesday by the Swiss security consultancy High-Tech Bridge, could be used by attackers to pilfer confidential information from companies' SharePoint servers, which are widely used to power corporate intranets and enable internal collaboration.
Although the company acknowledged that it was working on a fix, it has not set a ship date for the update.
Instead, Microsoft offered an interim work-around that involved disabling access to SharePoint's help system by running a pair of commands from the command prompt. The commands modify the access control list (ACL), Windows' list of file access permissions.
"It's safe to assume the bug or at least the known [attack] vector, is in that area of the code," said Andrew Storms, director of security operations at nCircle Security.
Additionally, Microsoft recommended that administrators run Internet Explorer 8 (IE8), which includes a cross-site scripting filter that can reduce the exploit risk. Administrators will need to modify IE8's settings, however, to switch on the filter for the Local Intranet security zone of the browser, since it's off by default.
Network administrators can also use group policies to enable the filter in the Local Intranet Zone for all IE8 users, Microsoft added.
Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), cautioned administrators to watch where they click. "If you are an admin on SharePoint server, don't click on any emailed suspicious links to server," Ness said via Twitter yesterday. SharePoint administrators would likely be targeted, since they have broader access to the server's data, and its settings, than an everyday user.
Microsoft doesn't rank vulnerabilities it hasn't patched, but Storms said the threat was minor for the moment. "Pretty low risk at this time, given the user interaction required and the intel required to target the victim," he said in an interview conducted over instant messaging.
Only SharePoint Server 2007 and SharePoint Services 3.0 contain the vulnerability. The newer SharePoint Server 2010 -- which made its release to manufacturing (RTM) milestone earlier this month but won't officially launch until May 12 when it debuts alongside Office 2010 -- is immune to this attack.
The last time Microsoft had to patch SharePoint was in October 2007, when the company issued its MS07-059 security update. "For an app that's supposedly rather popular, I'm surprised more people haven't found more bugs in it, [considering] what's usually stored in SharePoint, such as the company's confidential documents," said Storms.
Microsoft's next regularly scheduled Patch Tuesday is May 11.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Social Business in Computerworld's Social Business Topic Center.
- Shifting Gears: The Value of Customer-Driven Quality in Manufacturing In today's competitive manufacturing market, the customer must be the center of the quality universe. This paper details how manufacturers can improve customer...
- Unlocking the Promise of Demand Sensing and Shaping through Big Data Analytics Many organizations have limited insight into big data. These limitations have significant opportunity costs and can have a negative effect on identifying and...
- The Brave New World of Customer-Centric Manufacturing The Unique Opportunity for Manufacturers to Better Understand their Consumers
- AIIM SharePoint Industry Watch AIIM surveyed its 65,000 community members to look at how the enterprise is reacting to social aspects, why organizations are exploring social, who...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Social Business White Papers | Webcasts