News

Microsoft Warns of SharePoint Security Flaw

Microsoft issued a security advisory on Thursday for a vulnerability in Microsoft Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007.

The vulnerability affecting those applications has elevation-of-privilege implications for organizations. An attacker can use a cross-site scripting (XSS) technique to "run arbitrary script" that may lead to the attacker gaining access rights on a Web site running SharePoint, according to the advisory.

Cross-site scripting is the practice of embedding malicious script into a Web page that can execute when users visit the page. In this case, the user would visit a SharePoint intranet page. However, it's been a concern with other Microsoft products. This latest advisory comes just days after Microsoft said it plans to fix an XSS security hole in Internet Explorer 8.

Such attacks typically begin through a "specially crafted" URL sent in an e-mail or IM message that directs the user to a Web site with the malicious script. The script may allow the attacker to gain the same network rights as the user.

Microsoft plans to issue a security update to fix the vulnerability. In the mean time, the security advisory contains a workaround that describes steps to restrict access to "SharePoint help.aspx XML files." Restricting access to those files prevents exploitation of this vulnerability, according to the advisory.

Internet Explorer 8 has a XSS filter that is turned on by default, although the filter ironically has a flaw -- to be fixed in June -- that can enable XSS attacks. That said, Chenxi Wang, security and risk management analyst at Forrester Research, believes that users shouldn't discount the XSS prevention functions in IE 8 with regard to the SharePoint issue.

"The fact that the [cross-site scripting filter] introduces an additional vulnerability is unfortunate but sometimes it is a fact of life," she said. "Any time you introduce a new functionality, you introduce the possibility of new vulnerabilities because of the complexity of writing correct software."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Featured

  • Low-Coding in the Age of AI: Dataverse Embraces Copilot, Claude and Cursor

    Microsoft is extending Dataverse into coding-agent marketplaces while expanding its MCP tools, certification program and governance controls.

  • Visual Studio Takes Aim at Copilot Billing Shock

    Beyond Copilot usage visibility, the June update delivers several other enhancements centered on AI-assisted development, security and quality-of-life improvements. Here's a quick rundown of the remaining additions announced by Microsoft.

  • Claude AI Gets Yet Another Boost in VS Code 1.128

    The July 8, 2026, Visual Studio Code update expands agent workflows, chat attachments, browser-tab controls, OS-level shortcuts and enterprise telemetry management.

  • TypeScript 7 Arrives to Rock VS Code with Go-Powered Speed

    Microsoft says TypeScript 7, announced July 8, brings native Go performance to VS Code, Visual Studio and other editors.

Subscribe on YouTube