Security Management Strategies for the CIOMicrosoft issued a security advisory late Thursday, warning SharePoint users of a new SharePoint zero-day vulnerability that could allow elevation of privilege.
Jerry Bryant, Microsoft's group manager of response communications, said the software giant was unaware of any active attacks attempting to exploit the flaw. The cross-site scripting (XSS) vulnerability affects SharePoint Server 2007 and SharePoint Services 3.0. The vulnerability can be exploited in a browser-based attack.
The Microsoft advisory includes a workaround to mitigate against the threat. Microsoft said users can restrict access by adding an access control list to SharePoint Help.aspx XML files. The workaround will, however, disable all help functionality from the SharePoint server, Microsoft said.
Servers are at reduced risk from Internet Explorer 8 clients, Microsoft said. IE 8 includes an XSS filter in the Internet zone that can block an attack.
According to an advisory issued by High-Tech Bridge SA, a security firm based in Switzerland, the SharePoint vulnerability could enable an attacker to execute JavaScript code within the vulnerable application. The firm said that it notified Microsoft of the vulnerability on April 12.
"Successful exploitation of this vulnerability could result in a compromise of the application,
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
theft of cookie-based authentication credentials, disclosure or modification of sensitive data," the firm warned.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation