Microsoft Advice How to Avoid SharePoint 0day Exploit

Date: May 3, 2010

shp.jpgFour days ago, Microsoft urged SharePoint 2007 administrators to protect systems against a recently revealed zero day vulnerability that could be exploited to steal company confidential data. The bug, which was disclosed Wednesday by the Swiss security consultancy High-Tech Bridge, could be used by attackers to acquire private information from companies' SharePoint servers, which are widely used to power corporate intranets and enable internal collaboration.

"The most likely attack scenario is that an attacker sends a malicious link to a user who is logged into their SharePoint server. If the user clicks the link, the JavaScript created by the attacker and embedded in the link would execute in the context of the user who clicked the link," said Microsoft security engineers in an entry on the company's "Security Research & Defense" blog late Thursday.

Although Microsoft acknowledged that it was working on a fix, there is no ship date for the update. Instead, the company offered a temporary work-around by disabling access to SharePoint's help system. A pair of commands from the command prompt can handle this solution. The commands modify Windows' list of file access permissions (ACL).

Another clue from Microsoft is that administrators should run Internet Explorer 8 (IE8), which includes a cross-site scripting filter that can reduce the risk of XSS attack. However, administrators will need to modify Internet Explorer's settings to switch on the filter for the Local Intranet security zone of the browser, which is off by default. Network administrators can also use Group Policies to enable the filter in the Local Intranet Zone for all IE8 users in the network.

The vulnerable MS applications are SharePoint Server 2007 and SharePoint Services 3.0. The newer SharePoint Server 2010 which will launch on May 12 along with Office 2010 is immune to this exploit.

Home Computer Security Microsoft Advice How to Avoid SharePoint 0day Exploit


  • Susan Davis says:

    I am getting the following "infection" when I click on a link to read comments on a web site I go to regularly (just yesterday w/o problem. I can access the site & the blog, but not the comments links for individual blog entries:

    Exploit Link to Exploit Site (type 1336)

    I'm afraid this wonderful information is gibberish to me as my nickname is Technoweenie. Any thoughts?

Leave a Reply

What is 15 + 6 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math.