It’s no secret that putting SharePoint installations online and making them accessible without authentication is standard practice in many organizations. Those SharePoint administrators, however, may want to rethink their policies after today’s Microsoft Patch Tuesday security bulletins release.
Microsoft patched 10 critical SharePoint vulnerabilities today, one of four critical bulletins released by Microsoft—among 13 in all, patching 47 vulnerabilities across a number of product lines. Details of one of the SharePoint bugs—a POST cross-site scripting flaw—have already been publicly disclosed, and all of the vulnerabilities can lead to remote code execution on the collaboration server.
Microsoft SharePoint Server 2007 and 2010 are affected, according to bulletin MS13-067, as are Microsoft SharePoint Services 2.0 and 3.0, and Microsoft SharePoint Foundation 2010. The most critical is CVE-2013-1330, a remote code execution bug that could give an attacker privileges in the context of the W3WP service account. While the bug requires authentication, any SharePoint server that has disabled it is vulnerable to exploit without user interaction.
“It’s interesting that Microsoft prioritized the SharePoint bulletin as highly as they did. In theory, the vulnerability requires authentication. Given the frequency with which people disable SharePoint authentication and the ease of access to documentation on that process, the priority needs to be that high,” said Tyler Reguly, technical manager of security research and development at Tripwire. “People know their computers and email need good passwords. It boggles my mind that we see so many SharePoint deployments in anonymous mode.”
Microsoft is also patching denial of service, memory corruption and cross-site scripting vulnerabilities in SharePoint. Attackers can tamper with ViewState data and crash a SharePoint server that is running without authentication, or gain code execution by sending malicious ViewState data.
“By default, the pages require authentication, which limits the attack vector,” said Qualys CTO Wolfgang Kandek. “If you have reconfigured authentication, this bulletin should be high on your list.”
Plenty of angst was shared following last week’s advance notification of today’s patches regarding a bug in Outlook that was exploitable by merely previewing an email message. Microsoft still rated MS13-068 critical, but defused a lot of worry over its potential for exploit, explaining that the flaw would difficult if not impossible to trigger.
“In fact, we’re not certain that the issue is exploitable at all, but out of an abundance of caution and because attack technology improves over time, we are issuing the security update today,” said Jinwook Shin of the Microsoft Security Resource Center.
The bug is a message certificate vulnerability, which exists in the way Outlook 2007 and 2010 parses S/MIME messages, Microsoft said. Shin called it a double free vulnerability in a blogpost and explained that the conditions for exploit are not always met.
“An attacker can exploit the certificate parsing algorithm by signing an e-mail and nesting over 256 certificates in the signature,” Qualys’ Kandek said. “The attack causes a buffer overflow, even if just visualized in Outlook’s preview pane.”
Microsoft also released another cumulative security update for Internet Explorer. Bulletin MS13-069 patches 10 vulnerabilities that can be triggered by visiting malicious sites; IE 6-10 are impacted by the numerous memory corruption vulnerabilities.
The final critical vulnerability, MS13-070, is in Windows, specifically in OLE that allows remote code execution if a file with a malicious OLE object is opened. The bulletin, however, is limited to Windows XP and Windows Server 2003, both of which will no longer be supported after April 2014.
“MS13-070 is concerning because it only applies to XP and Server 2003 and those vulnerabilities tend to be less ‘contained’ than more mature versions of Windows,” said Rapid7 senior manager of security engineering Ross Barrett. “XP and Office 2003 have shown no let-up in patching frequency, despite the end of support for XP looming just around the corner in April 2014. April will be here before we know it, and who knows what patches will never make it out the door, let alone be found after that date in one of the world’s most widely deployed operating systems.”
The remaining bulletins were rated Important by Microsoft:
- MS13-071 is a remote code execution bug in Windows Theme File executed when a user is tricked into applying a malicious these on their system.
- MS13-072 patches 13 vulnerabilities in Microsoft Word and MS 13-073 is another Office patch, this one in Excel, both of which could lead to remote code execution. Kandek said: “To exploit these, an attacker needs to entice the target to open a malicious file, most likely through a spear phishing type of e-mail. Microsoft only rates these vulnerabilities as ‘important’ because they require the target to cooperate. However, attackers have proven time and again that they have the necessary social engineering techniques to overcome that obstacle with ease.”
- MS13-074 repairs three vulnerabilities in the Microsoft Access database that could give an attacker remote code execution capabilities if a user opens a malicious file
- MS13-075 patches a vulnerability in Microsoft Office IME (Chinese) that could give an attacker elevated privileges on a compromised machine. The attacker would have to be logged on and launch IE from the toolbar in Microsoft Pinyin IME for Chinese.
- MS13-076 addresses a Windows vulnerability in Kernel-Mode drivers that enables elevation of privileges.
- MS13-077 patches a Window bug in the Windows Service Control Manager that leads to privilege escalation.
- MS13-078 fixes an information disclosure vulnerability in Microsoft FrontPage.
- MS13-079 patches a denial of service vulnerability in Active Directory.