Microsoft issues work-around, advice for SharePoint zero-day

Computerworld - Microsoft Corp. on Thursday urged SharePoint 2007 administrators to protect systems against a recently revealed zero-day vulnerability that could be exploited to steal company secrets.

The bug, which was disclosed Wednesday by the Swiss security consultancy High-Tech Bridge, could be used by attackers to pilfer confidential information from companies' SharePoint servers, which are widely used to power corporate intranets and enable internal collaboration.

"The most likely attack scenario is that an attacker sends a malicious link to a user who is logged into their SharePoint server. If the user clicks the link, the JavaScript created by the attacker and embedded in the link would execute in the context of the user who clicked the link," said a trio of Microsoft security engineers in an entry on the company's "Security Research & Defense" blog late Thursday.

Although the company acknowledged that it was working on a fix, it has not set a ship date for the update.

Instead, Microsoft offered an interim work-around that involved disabling access to SharePoint's help system by running a pair of commands from the command prompt. The commands modify the access control list (ACL), Windows' list of file access permissions.

"It's safe to assume the bug or at least the known [attack] vector, is in that area of the code," said Andrew Storms, director of security operations at nCircle Security.

Additionally, Microsoft recommended that administrators run Internet Explorer 8 (IE8), which includes a cross-site scripting filter that can reduce the exploit risk. Administrators will need to modify IE8's settings, however, to switch on the filter for the Local Intranet security zone of the browser, since it's off by default.

Network administrators can also use group policies to enable the filter in the Local Intranet Zone for all IE8 users, Microsoft added.

Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), cautioned administrators to watch where they click. "If you are an admin on SharePoint server, don't click on any emailed suspicious links to server," Ness said via Twitter yesterday. SharePoint administrators would likely be targeted, since they have broader access to the server's data, and its settings, than an everyday user.

Microsoft doesn't rank vulnerabilities it hasn't patched, but Storms said the threat was minor for the moment. "Pretty low risk at this time, given the user interaction required and the intel required to target the victim," he said in an interview conducted over instant messaging.

Only SharePoint Server 2007 and SharePoint Services 3.0 contain the vulnerability. The newer SharePoint Server 2010 -- which made its release to manufacturing (RTM) milestone earlier this month but won't officially launch until May 12 when it debuts alongside Office 2010 -- is immune to this attack.

The last time Microsoft had to patch SharePoint was in October 2007, when the company issued its MS07-059 security update. "For an app that's supposedly rather popular, I'm surprised more people haven't found more bugs in it, [considering] what's usually stored in SharePoint, such as the company's confidential documents," said Storms.

Microsoft's next regularly scheduled Patch Tuesday is May 11.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Read more about Social Business in Computerworld's Social Business Topic Center.