Microsoft Scrambles to Patch New SharePoint Security Hole
New zero-day flaw could enable attacks on Microsoft's SharePoint Server if a user clicks a booby-trapped link, giving new meaning to the term SharePoint collaboration.
Microsoft has issued a Security Advisory warning customers that code for a newly revealed zero-day vulnerability in its SharePoint collaboration server is circulating on the Web.
While it is still investigating the problem and working on a patch, Microsoft (NASDAQ: MSFT) is providing a workaround in the interim, according to the Security Advisory.
The flaw does not affect the latest version, Office SharePoint 2010, which was recently released to manufacturing and is targeted for a May 12 launch. However, Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 are both at risk.
Microsoft's advisory said that the company is working on a patch for the exploit, which was discovered by Swiss security firm High-Tech Bridge SA and reported to the public on Wednesday. However, Microsoft hasn't said yet when the patch will be finished, tested, and distributed -- whether immediately after it's completed, or as part of its regular security patch cycle.
In the meantime, Microsoft described a workaround that disables SharePoint's Help system to block the attack.
According to a posting on seclists.org, High-Tech Bridge notified Microsoft of the flaw on April 12, slightly more than two weeks before it publicly published its proof-of-concept code.
It has become fairly common for Microsoft to respond as quickly as possible to zero-day vulnerability disclosures.
At the end of March, for instance, Microsoft issued a so-called "out-of-band" patch for a zero-day hole found in Internet Explorer (IE) 6 and 7, rather than wait for its next monthly Patch Tuesday patch release, which came two weeks later on April 13.
The new vulnerability may not turn out to be as dangerous as it seems on the surface, though. This latest exploit takes advantage of Cross-Site Scripting (XSS), in which an attacker's code executes on a site other than the one the user thinks, but still retains the user's privileges -- a popular attack vector for hackers.
For example, if the attacker can trick a user into clicking on a booby-trapped URL in an e-mail, and the user is already logged onto a SharePoint Server, a malicious script could execute with the user's privileges in SharePoint.
That requires the user to click a link, however, so exploiting the flaw is more work than many other popular exploits, such as triggering a malicious file to download simply by visiting a malicious Web page -- a so-called "drive-by download."
Additionally, IE8 features an XSS filter that prevents such attacks in the browser's Internet zone.
Further discussion of the problem and workarounds are available on the Microsoft Security Response Center (MSRC) Security Research & Defense blog.