Egad. Microsoft Security Bulletin MS14-022 – Critical for SharePoint

Hey folks

We’ve come across a SharePoint security concern that, if you are not already aware of, requires your attention.

To be clear – we’re not fans of fear mongering. SharePoint patches pop up frequently.  We’ve identified this one as particularly critical.

We are currently applying this patch internally to protect ourselves and to develop a response to assist our clients with minimal disruption.  We suggest you or your IT team treat this as a top priority and either address this yourself or schedule time with an itgroove consultant to get the patch deployed.

SharePoint Exploit Notification

Here’s the background of the issue

  • It’s classified as a “Critical patch” – it’s big enough that the US Department of Homeland Security is addressing it on their site.
  • It impacts SharePoint 2007, 2010, 2013 and Microsoft Web Apps (Office Online).
  • This patch is particularly important for sites that are connect to the internet.

Here’s the technical details

  • It’s an XSS exploit/security patch – basically un-sanitized user input – making it very unlikely that it would be pulled or retro-fitted.
  • This affects authorized user or anonymously exposed sites.
  • It is for 3 CVEs, none under public attack, and they do require social engineering aimed at your users to trigger.

To learn more, here are some sources to review:

Please give us a call or send us an email to book time with one of our consultants for assistance.