Microsoft Warns of SharePoint Security Flaw

The vulnerability affecting those applications has elevation-of-privilege implications for organizations. An attacker can use a cross-site scripting (XSS) technique to "run arbitrary script" that may lead to the attacker gaining access rights on a Web site running SharePoint, according to the advisory.

Security experts and Microsoft's Ross explained that unlike traditional XSS attacks that require the vulnerability to exist on a specific infected Web site, UXSS attacks target vulnerabilities in client applications, such as browsers, browser plug-ins and PDF readers.

"This issue manifests when malicious script can "break out" from within a construct that is already within an existing script block," wrote Ross. He added that while the issue was preliminarily identified and addressed in a January patch of the browser (MS10-002), the new real-world example of UXSS is prompting Microsoft to prep a new patch for June.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. In this case, the user would visit a SharePoint intranet page. However, it's been a concern with other Microsoft products. This latest advisory comes just days after Microsoft said it plans to fix an XSS security hole in Internet Explorer 8.

Such attacks typically begin through a "specially crafted" URL sent in an e-mail or IM message that directs the user to a Web site with the malicious script. The script may allow the attacker to gain the same network rights as the user.

Joshua Talbot, security intelligence manager at Symantec Security Response, added that such an attack requires a multifaceted and sophisticated method of incursion.

"First, they would have to find a suitable target Web site that allows users to publish content, such as a social networking site," he said. "Second, they would have to lure the victim to this page by clicking a specially crafted link. Finally, they would have to have the victim follow the link with a vulnerable Web browser."

Talbot added that with the increasing reliance on browsers and Web sites for banking and communication, UXSS vulnerabilities will become increasingly useful and valuable to attackers.

Internet Explorer 8 has a XSS filter that is turned on by default, although the filter ironically has a flaw that can enable XSS attacks. That said, Chenxi Wang, security and risk management analyst at Forrester Research, believes that users shouldn't discount the XSS prevention functions in IE 8 with regard to the SharePoint issue.

"The fact that the cross-site scripting filter introduces an additional vulnerability is unfortunate but sometimes it is a fact of life," she said. "Any time you introduce a new functionality, you introduce the possibility of new vulnerabilities because of the complexity of writing correct software."

Microsoft issued a security advisory on Thursday for a vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

View Article



Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • On-demand Event Event Date: March 23, 2017 As you adopt the use of cloud services, whether in public/IaaS, SaaS or hybrid environments, the attack surface expands and, if breached, the costs increase exponentially. This session is designed to help IT and security leaders understand and address the unique challenges that enterprises typically face when they deploy their applications in the public cloud. It summarizes the areas that the public cloud vendors typically take care of and highlights the areas …

  • On-demand EventEvent Date: March 21, 2017 With the rise in ransomware attacks, bank heists that reached new levels of sophistication, and extortion plots that were beyond anything we could have imagined, 2016 certainly was an eventful year for cybersecurity. Going into 2017, no business can afford to be uninformed about cybersecurity or unprepared for an attack. Watch this informative webinar, presented by Andrey Pozhogin, Senior B2B Product Marketing Manager at Kaspersky Lab, as he examines predictions for …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date