News

Microsoft Warns of SharePoint Security Flaw

Microsoft issued a security advisory on Thursday for a vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

The vulnerability affecting those applications has elevation-of-privilege implications for organizations. An attacker can use a cross-site scripting (XSS) technique to "run arbitrary script" that may lead to the attacker gaining access rights on a Web site running SharePoint, according to the advisory.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. In this case, the user would visit a SharePoint intranet page. However, it's been a concern with other Microsoft products. This latest advisory comes just days after Microsoft said it plans to fix an XSS security hole in Internet Explorer 8.

Such attacks typically begin through a "specially crafted" URL sent in an e-mail or IM message that directs the user to a Web site with the malicious script. The script may allow the attacker to gain the same network rights as the user.

Microsoft plans to issue a security update to fix the vulnerability. In the mean time, the security advisory contains a workaround that describes steps to restrict access to "SharePoint help.aspx XML files." Restricting access to those files prevents exploitation of this vulnerability, according to the advisory.

Internet Explorer 8 has a XSS filter that is turned on by default, although the filter ironically has a flaw -- to be fixed in June -- that can enable XSS attacks. That said, Chenxi Wang, security and risk management analyst at Forrester Research, believes that users shouldn't discount the XSS prevention functions in IE 8 with regard to the SharePoint issue.

"The fact that the [cross-site scripting filter] introduces an additional vulnerability is unfortunate but sometimes it is a fact of life," she said. "Any time you introduce a new functionality, you introduce the possibility of new vulnerabilities because of the complexity of writing correct software."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Semantic Kernel Agent Framework Graduates to Release Candidate

    With agentic AI now firmly established as a key component of modern software development, Microsoft graduated its Semantic Kernel Agent Framework to Release Candidate 1 status.

  • TypeScript 5.8 Improves Type Checking, Conditional Feature Delayed to 5.9

    Microsoft shipped TypeScript 5.8 with improved type checking in some scenarios, but thorny problems caused the dev team to delay related work to the next release.

  • Poisson Regression Using C#

    Dr. James McCaffrey from Microsoft Research presents a complete end-to-end demo of Poisson regression, where the goal is to predict a count of things arriving, such as the number of telephone calls received in a 10-minute interval at a call center. When your source data is close to mathematically Poisson distributed, Poisson regression is simple and effective.

  • Cloud-Focused .NET Aspire 9.1 Released

    Along with .NET 10 Preview 1, Microsoft released.NET Aspire 9.1, the latest update to its opinionated, cloud-ready stack for building resilient, observable, and configurable cloud-native applications with .NET.

  • Microsoft Ships First .NET 10 Preview

    Microsoft shipped .NET 10 Preview 1, introducing a raft of improvements and fixes across performance, libraries, and the developer experience.

Most   Popular

Subscribe on YouTube

Upcoming Training Events

0 AM