SharePoint Plagued by Serious XSS Vulnerability, Microsoft Announces
Article by George Norman
On 03 May 2010
Redmond-based software giant Microsoft has announced that SharePoint Server 2007 and SharePoint Services 3.0 are plagued by a XSS (cross-site scripting) vulnerability. The vulnerability in question could allow Elevation of Privilege (EoP) within the SharePoint site itself. If exploited by a person with malicious intent, the vulnerability could allow that person to run arbitrary script that could result in the elevation of privilege within the SharePoint site.

As Microsoft explained, Internet Explorer 8 (IE8) clients pose less of a risk to servers because IE8’s XSS filer helps mitigate the issue. “Sharepoint uses Http-Only cookies for authentication. HttpOnly cookies are not accessible through script, significantly mitigating the risk of XSS attacks. IE8’s XSS filter is enabled by default in the Internet Zone. The IE8 XSS filter catches this class of XSS attacks so users of IE8 are at the reduced risk from this vulnerability,” explained MRSC Engineering’s Jonathan Ness, David Ross, and Chengyun Chu.

Advertising

To help mitigate this issue, Microsoft has released Security Advisory 983438, which you can read here. The security advisory presents mitigations and workarounds that all customers running SharePoint Server 2007 or SharePoint Services 3.0 should review and apply.

According to Senior Security Communications Manager Lead with the MSRC (Microsoft Security Response Center), Jerry Bryant, Microsoft is not aware of any active attacks at the time.

“We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm,” commented Jerry Bryant.

In related security news, you should know that Opera Software recently rolled out Opera 10.53. The update fixes a vulnerability classified by Opera Software as “extremely severe.”



Tags: Microsoft, SharePoint Server 2007, SharePoint Services 3.0, XSS, Security
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
By George Norman on 19 Jun 2017
Don’t worry. I’m not going to rehash all those facts that everyone already knows about Bill Gates, like how he got arrested for driving without a license, that he is a college dropout, and that he plans to give most of his fortune to charity.
By George Norman on 31 Jul 2017
Microsoft has a new keyboard to offer: the new, premium quality Microsoft Modern Keyboard with Fingerprint ID. If you’re not familiar with it, then keep on reading and you’ll uncover pretty much everything there is to know about this keyboard.
By George Norman on 18 Jul 2017
Sure, text remains the main method of communicating with others when using a messenger application like Skype, but if you really want to get the message across, using an emoticon, emoji or sticker can’t hurt.
By George Norman on 24 May 2017
We knew that Microsoft was about to release a new Surface Pro 2-in-1 device, but we weren't expecting them to pull an Apple move and call it "the new Surface Pro." What's wrong with Surface Pro 5?
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
SharePoint Plagued by Serious XSS Vulnerability, Microsoft Announces
HTML Linking Code