Woody Windischman

Apr-292010

SharePoint 2007 Security Vulnerability - Action Required

wpe3Stop the Presses!

Microsoft has announced the discovery of a cross-site scripting vulnerability in the SharePoint 2007 (and WSS 3.0) Help system. Although they are still investigating the root cause and working on a long-term solution, they have provided a workaround which will mitigate the only known (at the time of this writing) attack vector. You can read the details of the vulnerability and a server-side workaround in Security Advisory 983438. The Security team have also posted some more explanations about this class of vulnerability and some client-side mitigations in this blog post.

A Little More Info

The vulnerability is what is known as an "injection attack". Essentially, arbitrary JavaScript can be run by being passed as a carefully crafted parameter to the built-in SharePoint Help page. This script will run in the context of the current user's client session, and can therefore perform any actions against the SharePoint site that the user could.

This does not turn the user into an administrator, or otherwise elevate their own privileges. As far as I can tell, it does not (as some reports have suggested) expose the user's password. Update: This is with the default SharePoint authentication. Custom authentication methods could potentially store credentials in an accessible manner. I have no way to test that scenario, but any attacker would need intimate knowledge of how that authentication module worked in order to exploit it. So, while your passwords are probably safe, this vulnerability could allow an attacker to probe for and read any information in SharePoint that the user does have access to, or to vandalize or destroy information the user is permitted to update. Therefore, for the time being I strongly suggest disabling the help.aspx file in the Layouts folder of your SharePoint servers, either by following the instructions in the security advisory or through other means. (At this time, I don't suggest just deleting the file.)

Update #2

It has been pointed out that, although the attack itself cannot (usually) directly glean the user's credentials, an injected script could prompt an unsuspecting user into providing them, thinking the request was coming from your site. This does not change my advice (applying the mitigation procedures), but it should increase your priority in doing so.


Published: Apr-29-10 | 0 Comments | 0 Links to this post
Tagged as: Administration, Governance, Patches, WSS, SharePoint, Search Server

Apr-262010

As if You Didn't Know...

MC900055166[1]Some SharePoint News

Life has been a bit hectic around here, but I haven't disappeared. Here's a quick rundown of some recent and upcoming events.

First, the big news -

SharePoint 2010 is Available!

Not all editions, but you can get the most popular parts if you are a subscriber to MSDN or TechNet Plus:

  • Microsoft Office 2010 Professional Plus
  • Microsoft SharePoint Foundation 2010 (this replaces Windows SharePoint Services)
  • Microsoft SharePoint Server 2010 (this replaces MOSS. You can get keys for Standard or Enterprise edition)
  • Office Web Apps (Web-based versions of Word, Excel, PowerPoint, and OneNote)
  • Microsoft SharePoint Designer 2010

Look for launch events all over the place throughout the summer!

You Have Two Chances to for Live Chat Online with MVP's!

The other news for this week is that there are not one, but two MVP real time chats with your favorite SharePoint MVP's. The first one is tomorrow (Tuesday, April 27) at 4:00pm Pacific time (7:00pm Eastern). The second chat is Wednesday at 9:00am Pacific (12 noon Eastern). Check out the MVP Program Blog for details of where to sign in and who'll be online when, but I can tell you that I'll be online for the Wednesday Chat!

That's all for now. I'll see you there!


Published: Apr-26-10 | 0 Comments | 0 Links to this post
Tagged as:

Apr-132010

An Engaging Experience

ringinboxStalking the Ruby-hearted Gleamcatcher

Updated 4/19 to use a picture of the real ring rather than the catalogue image...

OK, so this still isn't the article on incoming SharePoint email that I promised. That article (which will be cross-posted at EndUserSharePoint.com) is still coming, as is an article for Microsoft's Get the Point! blog. But from a personal standpoint, this is even more important.

Over the Easter holiday weekend, I proposed to my girlfriend, Brenda, while we were on a nature walk. Essentially, I set it up so that on our walk we would be seeking out the nesting site of the very rare "Ruby-hearted gleamcatcher." It turned out that the "gleamcatcher" was actually a ruby and diamond pendant, and the "nest" was its box, which I had previously nestled in a tree.

After I gave it to her, I figured she would be a little disappointed, since we had been discussing the idea of marriage for a while. So, I mentioned that the reason I chose that particular pendant was that it went along so nicely with the ring I had in my pocket (pictured above). I took it out and placed it on her finger, asking her to join me forever on that great nature walk of life (OK, those weren't quite the words I used, but they should have been).

To make a long story short, she said "Yes!", so on August 1st...

We're Getting Married!

(Note: Brenda is a much more private person than I am, and doesn't like her picture taken, so sorry, no pix at this time. Maybe for our wedding site once I have that set up.)


Published: Apr-13-10 | 4 Comments | 0 Links to this post
Tagged as: