Article

Microsoft warns of serious SharePoint cross-site scripting zero-day

Robert Westervelt, News Editor, SearchSecurity.com

Microsoft issued a security advisory late Thursday, warning SharePoint users of a new SharePoint zero-day vulnerability that could allow elevation of privilege.

Jerry Bryant, Microsoft's group manager of response communications,

Requires Free Membership to View

said the software giant was unaware of any active attacks attempting to exploit the flaw. The cross-site scripting (XSS) vulnerability affects SharePoint Server 2007 and SharePoint Services 3.0. Proof-of-concept code is publicly available. The vulnerability can be exploited in a browser-based attack.

The Microsoft advisory includes a workaround to mitigate against the threat. Microsoft said users can restrict access by adding an access control list to SharePoint Help.aspx XML files. The workaround will, however, disable all help functionality from the SharePoint server, Microsoft said.

Servers are at reduced risk from Internet Explorer 8 clients, Microsoft said. IE 8 includes an XSS filter in the Internet zone that can block an attack.

According to an advisory issued by High-Tech Bridge SA, a security firm based in Switzerland, the SharePoint vulnerability could enable an attacker to execute JavaScript code within the vulnerable application. The firm said that it notified Microsoft of the vulnerability on April 12.

"Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data," the firm warned.