bit-tech.net

MS investigates SharePoint zero-day

MS investigates SharePoint zero-day

SharePoint suffers from a zero-day XSS vulnerability following the public posting of exploit code.

Microsoft has launched an investigation into an alleged zero-day flaw in its SharePoint groupware package following the public posting of exploit code by a security firm.

As reported over on ITworld, the cross-site scripting vulnerability SharePoint was originally reported to Microsoft on the 12th of April by security firm High-Tech Bridge. When Microsoft didn't fix the flaw fast enough for the company's consultants, it went public with a post to the Bugtraq security mailing list.

Unfortunately for Microsoft, the High-Tech Bridge's posting - entitled "XSS in Microsoft SharePoint Server 2007" - included not only a full description of the as-yet unpatched vulnerability but a simple proof of concept exploit example designed to trigger a JavaScript alert dialog.

While the code posted by High-Tech Bridge is innocuous enough as-is, there are fears that it could be easily exploited by ne'er-do-wells to run third-party code on affected SharePoint servers to access protected documents and download private data.

With no patch yet available from Microsoft, and with many corporations using SharePoint to power their Internet-facing employee Intranets - complete with proprietary content such as product plans, customer information, and even financial information - a two-week delay from first notifying the vendor and then making the vulnerability public seems a bit harsh, although High-Tech Bridge is quick to point out that those are its standard terms of disclosure.

Microsoft has kept quiet regarding the vulnerability so far, responding only to say that it is tracking the issue and will release its own security advisory with mitigation information and any details of a planned patch as soon as possible.

Do you believe that High-Tech Bridge was remiss in only allowing Microsoft two weeks to fix the flaw before going public, or should Microsoft have got workaround information to companies long before the deadline expired? Share your thoughts over in the forums.

10 Comments

Discuss in the forums Reply
Andy Mc 30th April 2010, 11:26 Quote
If High-Tech Bridge had not done this I think M$ would have dragged their feet in patching the exploit. Now they have been forced to look into the problem and address the hole.
Javerh 30th April 2010, 11:56 Quote
"We're sorry that we had to kick you in the face to show you how easy it is to kick you in the face."
RichCreedy 30th April 2010, 12:51 Quote
they perhaps shouldn't have released proof of concept exploit code
Andy Mc 30th April 2010, 13:05 Quote
Quote:
Originally Posted by RichCreedy
they perhaps shouldn't have released proof of concept exploit code

To be honest I don't think it would have made any differance if the code was not released. As the disclosure would have detailed the issue and any professional hacker would have been able to write their own working code from it.
ev1lm1nd666 30th April 2010, 17:46 Quote
Quote:
Originally Posted by Javerh
"We're sorry that we had to kick you in the face to show you how easy it is to kick you in the face."

+1 couldn't have said it better my self
eddtox 30th April 2010, 18:26 Quote
Meh, two weeks is a long time on the internet. With something this severe, ms should have been much quicker off the block.
aussiebear 30th April 2010, 19:46 Quote
You give 6 months for the developer to address the issue. Its common courtesy.

On the other hand, if you do NOT force Microsoft's hand; they tend to conveniently leave such reports on the shelf for over several months. (Even years.)

Its commonly known that Microsoft doesn't address security problems unless you force their hand. The problem is the internal structure and politics of the company. (It results in them in being slow to respond to anything.)

Many end-users think its the hackers and security researchers being the problem. Understand that they are the ones that have time and time again showed that there is something wrong with MS solutions. They are broadcasting an obvious signal...The problem is: No one is listening to the obvious!

Few have actually realised computer security sloppiness for the average consumer is because of the way Microsoft has done things.

Think about it...

(1) They are willing to compromise security for usability...Then cover a flawed implementation with market spinning.

eg: Windows 7's UAC default setting is flawed. It automatically allows one to run code embedded in a DLL with FULL admin privileges. As the setting auto-trusts rundll32.exe without warning the user...It means I can write malware and you won't be notified when the malware uses admin privileges to execute code...You need to set it to "Always Notify". But then, this behaves exactly like it did in Vista!

To cover this up: MS marketing has said Windows 7's UAC isn't a "security boundary". That's BS. They know it. They just won't admit they f**ked up with the design because it will potentially kill their Windows 7 sales. (Windows 7 is what's really making MS money; while they burn a truck load of cash on their Bing in order to compete with Google...Check their recent financial reports; you'll see this.)

(2) Their implementations are sloppy in security.

Here's what I mean: At a fundamental level, the way they do things sound nice on paper and marketing. But when it comes to actually implementing things or testing them on the real battlefield that is the Internet; its a bit of a joke.

All those mechanisms like ASLR, DEP, Protected Mode, etc sound great for marketing security for Windows.

In reality? Every competent hacker or "security researcher" knows how to circumvent them. They do nothing when the code itself is flawed. (This is why IE loses in the annual Pwn2Own competition...IE needs to be re-written completely. This isn't going to happen as it costs time, money, and resources.)

(3) Poor default settings.

The way they offer things by default is like giving a teenager free access to a can of petrol and some matches...Then letting them lose.

Windows is an "Allow by default" system. The reason for this is because they want it to be as easiest as possible...The way they go about it is flawed from a security perspective.

Then to compensate for this flaw; people are led to believe security can be achieved by installing anti-malware applications. These actually fail miserably in the real world. AV approach doesn't work against serious threats. It is a reaction. It will always be behind...And AV companies cannot keep up with the sheer number and variants of crap out there.

The hard reality is that people need to change their approach to computing. ie: "Deny by default".

It means only installing known clean/legit apps and denying stupid behaviour.

I did this for a company: Employees complain how they can't do this and that...

We respond by: "You aren't paid to play, view porn, social network, or install programs at your leisure. You're here to do a job you're being paid for. We've provided the applications you need for that job. If you want do all that other stuff; do it on your own time and your own systems."

Result? Malware issues no longer exist. We have more problems with flakey quality hardware.


My overall point is this:

Without hackers and other talented individuals; companies like Microsoft, Apple, Adobe, etc wouldn't care about security. The end-user or consumer would be completely oblivious of how flaky things are being implemented. (Why would they care if the money keeps rolling in?)

As a paying customer of Microsoft products; you folks must demand more from them.

...Because the software you're getting isn't worth what they're asking for.

ie: For every dollar you are spending on software that bombs, has security issues, requires endless patching, etc; you're getting 59 cents worth of value.

That's from a guy I know who designs/implements highly reliable software...The kind of software that you can bet your life on; that regularly passes US's NSA scrutiny; and where the only bugs found, are due to typos in the documentation.
thehippoz 30th April 2010, 20:18 Quote
good post aussiebear.. couldn't have said it better

they are getting the failed mohave experiment to roll in some money

the uac has bothered me in 7 since it released.. really it's a joke to have it ship on that setting- not to mention whitelist a number of set apps like notepad.exe

guys were getting elevated without any warnings during rc.. but to credit them- a lot of people were running with the uac off in vista anyways (basically they didn't know how to use the task scheduler to run elevated)

it is a bit more user friendly and they did a lot of the tweaks needed right out of the box.. far as sharepoint- doesn't surprise anyone really

when you look at proprietary software.. this will always happen- it's a small group of programmers
MSHunter 2nd May 2010, 04:37 Quote
just use Linux and run windows in sandbox when u need it. Never run in SU and you will notice that you no longer need AV because you have to in put SU password to install software, which gives you a moment to go... hhmmm?? do I think this is a safe piece of software from a reputable source?

Though I guess This does pre-suppose a certain level of "PC know how"
(there goes a big percentage of users). >Some times I forget how little the average Joe knows about PCs and windows

"that thing that keeps my feet warm at work" (from a service line call)

I will never forget that one......
knutjb 2nd May 2010, 21:30 Quote
So easy to slam MS. What is missing is that ALL companies have to evaluate the severity of a flaw, risk management. Maybe this particular vulnerability is likely to be accessed under certain conditions. Or it could be this code could have significant consequences on certain hardware or other software configurations. Any fix must be validated to ensure the fix doesn't become a bigger problem than the original flaw. I don't have first hand exp with MS but this knee-jerk reaction happens every time someone finds a flaw.

What is the motivation of High-Tech Bridge? Is it genuine or are they drumming up business? No, I am not implying that they are but merely suggesting that such questions need to be asked. If it is so easy to slam MS, don't forget to look at who is crying foul and why.

To those who love pointing out Linux is so secure, or that Apple is so safe, it is only because they are small, proprietary, and MS is so big. If MS falls by the way side hackers will focus their attention on Linux, Apple, or whoever were to fill the void. It's the nature of the beast.

Sounds like I am defending MS, no. Just that perpetual, one-sided, knee-jerks that follow every announcement like this are long on critique, short on overall system management process understanding, sound naive to me.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums