Microsoft Warns of SharePoint Security Flaw

The vulnerability affecting those applications has elevation-of-privilege implications for organizations. An attacker can use a cross-site scripting (XSS) technique to "run arbitrary script" that may lead to the attacker gaining access rights on a Web site running SharePoint, according to the advisory.

Security experts and Microsoft's Ross explained that unlike traditional XSS attacks that require the vulnerability to exist on a specific infected Web site, UXSS attacks target vulnerabilities in client applications, such as browsers, browser plug-ins and PDF readers.

"This issue manifests when malicious script can "break out" from within a construct that is already within an existing script block," wrote Ross. He added that while the issue was preliminarily identified and addressed in a January patch of the browser (MS10-002), the new real-world example of UXSS is prompting Microsoft to prep a new patch for June.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. In this case, the user would visit a SharePoint intranet page. However, it's been a concern with other Microsoft products. This latest advisory comes just days after Microsoft said it plans to fix an XSS security hole in Internet Explorer 8.

Such attacks typically begin through a "specially crafted" URL sent in an e-mail or IM message that directs the user to a Web site with the malicious script. The script may allow the attacker to gain the same network rights as the user.

Joshua Talbot, security intelligence manager at Symantec Security Response, added that such an attack requires a multifaceted and sophisticated method of incursion.

"First, they would have to find a suitable target Web site that allows users to publish content, such as a social networking site," he said. "Second, they would have to lure the victim to this page by clicking a specially crafted link. Finally, they would have to have the victim follow the link with a vulnerable Web browser."

Talbot added that with the increasing reliance on browsers and Web sites for banking and communication, UXSS vulnerabilities will become increasingly useful and valuable to attackers.

Internet Explorer 8 has a XSS filter that is turned on by default, although the filter ironically has a flaw that can enable XSS attacks. That said, Chenxi Wang, security and risk management analyst at Forrester Research, believes that users shouldn't discount the XSS prevention functions in IE 8 with regard to the SharePoint issue.

"The fact that the cross-site scripting filter introduces an additional vulnerability is unfortunate but sometimes it is a fact of life," she said. "Any time you introduce a new functionality, you introduce the possibility of new vulnerabilities because of the complexity of writing correct software."

Microsoft issued a security advisory on Thursday for a vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

View Article


  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Moving from an on-premises environment to Office 365 does not remove the need to plan for disruptions or reduce the business risk requirements for protecting email services. If anything, some risks increase with a move to the cloud. Read how to ease the transition every business faces if considering or already migrating to cloud email. This white paper discusses: Setting expectations when migrating to Office 365 Understanding the implications of relying solely on Exchange Online security Necessary archiving …

  • Anthony Christie, the Chief Marketing Officer for Level Communications, is responsible for customer experience, worldwide marketing and product management. In this informative asset, he shares his insights into why a private network connection to cloud-bases applications is the right decision for your enterprise. Download now to find out more.

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date