Menu
Microsoft investigates SharePoint 2007 zero day

Microsoft investigates SharePoint 2007 zero day

Proof-of-concept code was released two weeks after Microsoft was notified of the flaw

Microsoft is scrambling to fix a bug in its SharePoint 2007 groupware after a Swiss firm abruptly released code that could be used in an attack.

The proof-of-concept code was released Wednesday, just over two weeks after security consultancy High-Tech Bridge says it disclosed the issue to Microsoft on April 12.

Although Microsoft hasn't said much about the seriousness of the bug, security experts worry that hackers could exploit the flaw in order to steal sensitive corporate information used by SharePoint customers, who use the software for building Web portals and collaborating on internal projects.

High-Tech Bridge discovered what is known as a cross-site scripting flaw in SharePoint. If the attacker can get a SharePoint user to click on a link, the bug lets the attacker essentially take control of the user's account.

"With a little bit of insider knowledge you can send a link to a SharePoint user, and if you can cross-site script them, you can do data exfiltration on whatever their account has access to," said Jeremiah Grossman, chief technology officer with Web security consultancy WhiteHat Security.

"Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data," High-Tech Bridge said in a note posted with its code. The company could not be reached immediately for comment.

Even if attackers could take control of a user's account, they might still have a hard time getting data outside of the corporate network, said Thierry Zoller, a principal security consultant with Verizon Business. "It is currently unclear whether there are means to exfiltrate documents over this attack vector," he said via instant message.

Microsoft has reproduced the bug on its internal systems and is now working on a security advisory that will include more information on the bug and what customers can do to secure their systems, said Jerry Bryant, a Microsoft security program manager in an e-mail message.

Two weeks isn't much time to fix a big, especially one that was disclosed the day before Microsoft's monthly security updates, but High-Tech Bridge says that it automatically discloses vulnerability details two weeks after notifying the vendor.

The company could not be immediately reached for comment.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments