Microsoft Warns of SharePoint Security Flaw

The vulnerability affecting those applications has elevation-of-privilege implications for organizations. An attacker can use a cross-site scripting (XSS) technique to "run arbitrary script" that may lead to the attacker gaining access rights on a Web site running SharePoint, according to the advisory.

Security experts and Microsoft's Ross explained that unlike traditional XSS attacks that require the vulnerability to exist on a specific infected Web site, UXSS attacks target vulnerabilities in client applications, such as browsers, browser plug-ins and PDF readers.

"This issue manifests when malicious script can "break out" from within a construct that is already within an existing script block," wrote Ross. He added that while the issue was preliminarily identified and addressed in a January patch of the browser (MS10-002), the new real-world example of UXSS is prompting Microsoft to prep a new patch for June.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. In this case, the user would visit a SharePoint intranet page. However, it's been a concern with other Microsoft products. This latest advisory comes just days after Microsoft said it plans to fix an XSS security hole in Internet Explorer 8.

Such attacks typically begin through a "specially crafted" URL sent in an e-mail or IM message that directs the user to a Web site with the malicious script. The script may allow the attacker to gain the same network rights as the user.

Joshua Talbot, security intelligence manager at Symantec Security Response, added that such an attack requires a multifaceted and sophisticated method of incursion.

"First, they would have to find a suitable target Web site that allows users to publish content, such as a social networking site," he said. "Second, they would have to lure the victim to this page by clicking a specially crafted link. Finally, they would have to have the victim follow the link with a vulnerable Web browser."

Talbot added that with the increasing reliance on browsers and Web sites for banking and communication, UXSS vulnerabilities will become increasingly useful and valuable to attackers.

Internet Explorer 8 has a XSS filter that is turned on by default, although the filter ironically has a flaw that can enable XSS attacks. That said, Chenxi Wang, security and risk management analyst at Forrester Research, believes that users shouldn't discount the XSS prevention functions in IE 8 with regard to the SharePoint issue.

"The fact that the cross-site scripting filter introduces an additional vulnerability is unfortunate but sometimes it is a fact of life," she said. "Any time you introduce a new functionality, you introduce the possibility of new vulnerabilities because of the complexity of writing correct software."

Microsoft issued a security advisory on Thursday for a vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

View Article



Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • On-demand Event Event Date: July 28, 2016 Jepsen tests are third-party tests for distributed databases that validate vendors' guarantees about how they perform under various failure scenarios, especially network partitions. These have proven their value as tools in any distributed system tester's arsenal. When the creator of Jepsen, Kyle Kingsbury, started his Jepsen-for-Hire business last fall, VoltDB immediately got in line, and over the past two months, our solution was given the most stringent Jepsen …

  • Microsoft® Office 365 is a top choice for enterprises that want a cloud-based suite of productivity/ collaboration applications. With Office 365, you get access to Microsoft™ Office solutions practically anytime, anywhere, on virtually any device. It's a great option for current Microsoft users who can now build on their experience with Microsoft™ solutions while enjoying the flexibility of a cloud-based delivery. But even organizations with no previous investment in Microsoft will find that …

Most Popular Programming Stories

More for Developers

RSS Feeds

Thanks for your registration, follow us on our social networks to keep up-to-date