Microsoft Warns Of SharePoint Zero-Day Flaw

Microsoft issued an advisory Thursday warning users of a cross-site scripting, zero-day flaw in SharePoint Server 2007 and SharePoint Services 3.0.

Microsoft said that the vulnerability opens the door for hackers to launch elevation of privilege attacks within the SharePoint site -- as opposed to an elevation of privilege attack within the workstation or server environment -- but didn't provide details on other possible types of attacks, or the severity and implications of the vulnerability.

During an attack, hackers could gain access to the SharePoint Server by creating and sending an infected link embedded in an e-mail, typically via some kind of social engineering scheme targeted at an organization's users. Victims would then download malicious code once they opened the infected links.

However, researchers at consulting firm High-Tech Bridge, who first detected the SharePoint flaw, issued an advisory warning that the vulnerability could enable attackers to gain entry into the SharePoint Server and take control of highly sensitive information, which could include corporate assets and intellectual property.

"The vulnerability exists due to failure in the "/_layouts/help.aspx" script to properly sanitize user-supplied input in "cid0" variable. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data."

However, other security experts contend that while possible, the chances of a successful widespread attack remained small.

"The worst case with this vulnerability is an attacker actually finds a person to phish a malicious link. This would allow the attack to run arbitrary JavaScript on the SharePoint server," said Jason Miller, data and security team manager for patch management company Shavlik Technologies, in an e-mail. "The likelihood of a widespread attack is pretty low as you are talking about a program that is not commonly used in most day to day business operations."

High-Tech Bridge researchers published a proof-of-concept exploit two weeks after they disclosed the issue to Microsoft on April 12.

Next: Microsoft Says Servers Are At Reduced Risk

Microsoft said that servers are a little more shielded with Internet Explorer 8 clients, due to the fact that the IE 8 XXS filter helps mitigate the risk of these types of attacks.

"Servers are at reduced risk from Internet Explorer 8 clients, as the Internet Explorer 8 XSS filter helps to mitigate the issue in the internet zone. We are not aware of any active attacks at this time," said Jerry Bryant, Microsoft group manager for response communications in a company blog post.

Security experts say that currently there are no active in-the-wild attacks exploiting the SharePoint vulnerability, which thus far is limited to a public proof-of-concept exploit. But that might change now that exploit code has been made public, experts say.

As of now, a patch repairing the issue is currently unavailable, however Microsoft anticipates that a fix will be released some time in June.

Microsoft said in its advisory that a fix would either be provided through its monthly Patch Tuesday release process or by issuing an out-of-band security update, depending on "customer needs," which generally are determined by the severity and likelihood of an exploit or the proliferation of active attacks.

Until an update is released, the company is encouraging its users to apply both server and endpoint workarounds relayed in its security advisory, which include restricting access to the SharePoint help.aspx XML files while enacting the IE 8 XSS filter in the Intranet zone.

Microsoft said it was actively working to investigate and address the problem, while working with partners and researchers in its Microsoft Active Protections Program.

"As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of -- and work to exploit -- a vulnerability," Bryant said.

"Responsible disclosure protects the computer ecosystem and individual computer users from harm," he added.

Regarding its vulnerability disclosure policies on its Website, High Tech Bridge said, "If Vendor does not provide any feedback or if vendor's response is incomplete (e.g. absence of proposed disclosure date) for 14 days (2 weeks) period since the notification " vulnerability detailed are automatically disclosed to public."