Four days ago, Microsoft urged SharePoint 2007 administrators to protect systems against a recently revealed zero day vulnerability that could be exploited to steal company confidential data. The bug, which was disclosed Wednesday by the Swiss security consultancy High-Tech Bridge, could be used by attackers to acquire private information from companies' SharePoint servers, which are widely used to power corporate intranets and enable internal collaboration.
Although Microsoft acknowledged that it was working on a fix, there is no ship date for the update. Instead, the company offered a temporary work-around by disabling access to SharePoint's help system. A pair of commands from the command prompt can handle this solution. The commands modify Windows' list of file access permissions (ACL).
Another clue from Microsoft is that administrators should run Internet Explorer 8 (IE8), which includes a cross-site scripting filter that can reduce the risk of XSS attack. However, administrators will need to modify Internet Explorer's settings to switch on the filter for the Local Intranet security zone of the browser, which is off by default. Network administrators can also use Group Policies to enable the filter in the Local Intranet Zone for all IE8 users in the network.
The vulnerable MS applications are SharePoint Server 2007 and SharePoint Services 3.0. The newer SharePoint Server 2010 which will launch on May 12 along with Office 2010 is immune to this exploit.