Microsoft Warns of SharePoint Security Flaw

The vulnerability affecting those applications has elevation-of-privilege implications for organizations. An attacker can use a cross-site scripting (XSS) technique to "run arbitrary script" that may lead to the attacker gaining access rights on a Web site running SharePoint, according to the advisory.

Security experts and Microsoft's Ross explained that unlike traditional XSS attacks that require the vulnerability to exist on a specific infected Web site, UXSS attacks target vulnerabilities in client applications, such as browsers, browser plug-ins and PDF readers.

"This issue manifests when malicious script can "break out" from within a construct that is already within an existing script block," wrote Ross. He added that while the issue was preliminarily identified and addressed in a January patch of the browser (MS10-002), the new real-world example of UXSS is prompting Microsoft to prep a new patch for June.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. In this case, the user would visit a SharePoint intranet page. However, it's been a concern with other Microsoft products. This latest advisory comes just days after Microsoft said it plans to fix an XSS security hole in Internet Explorer 8.

Such attacks typically begin through a "specially crafted" URL sent in an e-mail or IM message that directs the user to a Web site with the malicious script. The script may allow the attacker to gain the same network rights as the user.

Joshua Talbot, security intelligence manager at Symantec Security Response, added that such an attack requires a multifaceted and sophisticated method of incursion.

"First, they would have to find a suitable target Web site that allows users to publish content, such as a social networking site," he said. "Second, they would have to lure the victim to this page by clicking a specially crafted link. Finally, they would have to have the victim follow the link with a vulnerable Web browser."

Talbot added that with the increasing reliance on browsers and Web sites for banking and communication, UXSS vulnerabilities will become increasingly useful and valuable to attackers.

Internet Explorer 8 has a XSS filter that is turned on by default, although the filter ironically has a flaw that can enable XSS attacks. That said, Chenxi Wang, security and risk management analyst at Forrester Research, believes that users shouldn't discount the XSS prevention functions in IE 8 with regard to the SharePoint issue.

"The fact that the cross-site scripting filter introduces an additional vulnerability is unfortunate but sometimes it is a fact of life," she said. "Any time you introduce a new functionality, you introduce the possibility of new vulnerabilities because of the complexity of writing correct software."

Microsoft issued a security advisory on Thursday for a vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

View Article



Comments

  • There are no comments yet. Be the first to comment!

Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • IBM Worklight is a mobile application development platform that lets you extend your business to mobile devices. It is designed to provide an open, comprehensive platform to build, run and manage HTML5, hybrid and native mobile apps.

  • Live Event Date: November 13, 2014 @ 2:00 p.m. ET / 11:00 a.m. PT APIs can be a great source of competitive advantage. The practice of exposing backend services as APIs has become pervasive, however their use varies widely across companies and industries. Some companies leverage APIs to create internal, operational and development efficiencies, while others use them to drive ancillary revenue channels. Many companies successfully support both public and private programs from the same API by varying levels …

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds