14 DAY TRIAL // The latest version of SharePoint Server, released concomitantly with Office 2010 RTM, does not contain the vulnerable code of a zero-day security flaw in SharePoint Server 2007 and Windows SharePoint Services 3.0. Microsoft is hard at work investigating reports of a previously undisclosed SharePoint vulnerability that could allow an attacker to run arbitrary script on affected systems. However, Jerry Bryant, group manager, Response Communications, Microsoft, underlines that, even in the eventuality of a successful exploit, the result would be nothing more than elevation of privilege within the SharePoint site. A potential attacker could not obtain the same result within the workstation or server environment, Microsoft explained.
“Servers are at reduced risk from Internet Explorer 8 clients, as the Internet Explorer 8 XSS filter helps to mitigate the issue in the internet zone. We are not aware of any active attacks at this time,” Bryant told Softpedia. Microsoft has already published Security Advisory 983438, offering extensive information on the new cross-site scripting (XSS) vulnerability in SharePoint.
Until a patch is offered by the software giant, customers running SharePoint 2007 or Windows SharePoint Services 3.0 should take the necessary measures to protect their environments. Business users “are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory. These include restricting access to the SharePoint help.aspx XML files and enabling the Internet Explorer 8 XSS filter in the intranet zone,” Bryant explained.
Microsoft is currently working on producing a security update to patch the vulnerability. As it is generally the case, the company will either release the fix as a part of its monthly patch cycle, or provide an out-of-band security update if it considers that customers are at risk from active attacks in the wild. The software giant emphasized that details about the vulnerability had been reported in the wild instead of being responsibly disclosed.