Column

Inside MSRC: Microsoft SharePoint flaw explained


The October 2007 bulletin release has six new security bulletins affecting Microsoft Windows and Microsoft Office. Four of the new bulletins are rated as Critical, the remaining two are rated as Important.

For this month's column, I will focus primarily on MS07-059

Requires Free Membership to View

– a bulletin that affects Windows SharePoint Services 3.0 and Office SharePoint Server 2007. For your risk assessment and deployment planning, I will help you better understand the nature of the vulnerability and help you understand what security updates apply to what systems; and make you aware of a non-security change also present in the update.

I'll also briefly cover MS07-056, and help you understand why changes in Windows Vista give it a lower severity rating than older versions of Windows.

First though, I'll give you a final update on the Microsoft Baseline Security Analyzer (MBSA) 1.2.1.

Final Security Updates Supported by MBSA 1.2.1
I've mentioned several times that this release would be the final release that supports MBSA 1.2.1. MBSA 1.2.1 is now officially retired. While we have support for the October 2007 security bulletins, in MBSA 1.2.1, security updates moving forward will not be supported.

Beginning with the November, 2007, security bulletin release, MBSA 2.0.1 and the beta version of MBSA 2.1 are the only versions of MBSA that will be supported for security updates.

We encourage you to upgrade from MBSA 1.2.1 to MBSA 2.1 as soon as possible. As always, you can get the latest information about MBSA at the MBSA website.

Understanding MS07-059, Windows SharePoint Services 3.0 and Office SharePoint Server 2007
This is a bulletin that addresses a cross-site scripting vulnerability in Windows SharePoint Services 3.0 and Office SharePoint Server 2007.

Usually, cross-site scripting vulnerabilities have a potential impact on the user's client system; specifically running script in the logged on user's security context on their client system. In the case of this bulletin, because of the nature of the vulnerability, the potential impact is to run script in the user's context on a SharePoint site that the user has rights to rather than the user's own client system.

I want to point out two things, as far as the scope of that impact, for your risk assessment:

First, the scope of impact is on a SharePoint site, NOT on the entire server. As an example, let's say a SharePoint server has multiple sites and a user has rights to only one of those. In this case, the attacker would only be able to take actions on the single site on which the user has rights: they would be unable to take actions against the other sites because the user has no rights to those sites.

Second, any limitations on the user's account on the SharePoint site would limit the attacker's code. A successful attack against a user with limited rights on a site would be limited in scope. Conversely, a successful attack against a user with Administrative rights on a site would give the attacker complete control of the site.

Because the potential net impact of this would be for a user with no rights or limited rights to gain elevated rights on a SharePoint site, we've called out the impact of this vulnerability as an "Elevation of Privilege" vulnerability against the SharePoint sites.

When you're looking at MS07-059, to determine which updates will be applicable to what systems, it's important to understand how Windows SharePoint Services 3.0 relates to Office SharePoint Server 2007. Windows SharePoint Services 3.0 is a technology in Windows Server 2003. Office SharePoint Server 2007 is a separate application that runs on Windows Server 2003.

You can use Windows SharePoint Services 3.0 without loading Office SharePoint Server 2007. However, if you run Office SharePoint Server 2007, you must also have Windows SharePoint Services 3.0 installed and running on your Windows 2003 Server system. This is because Office SharePoint Server 2007 sits on top of, and utilizes, the functionality within Windows SharePoint Services 3.0.

MS07-059 provides security updates for both Windows SharePoint Services 3.0 and Office SharePoint Server 2007. The security update for Windows SharePoint Services 3.0 is applicable to your systems if you're running Windows SharePoint Services 3.0 by itself, or with Office SharePoint Server 2007 installed. The security update for Office SharePoint Server 2007 is applicable to your systems, only if, you're running Office SharePoint Server 2007. If you're running Windows SharePoint Services 3.0 by itself, the security update for Office SharePoint Server 2007 is not applicable to your system.

The most important thing to note, though, is that MBSA 2.0.1 will correctly identify if one, or both, of these security updates are applicable to your system.

Finally, in addition to the changes to address the security issue detailed in the bulletin, the security update for Windows SharePoint Services 3.0 also includes changes to support the new Daylight Savings Time dates for New Zealand. These changes were first released as a hotfix, associated with Microsoft Knowledge Base article 941412. When you apply this security update, your systems will also be updated to address this issue. This means that once you install the security update, you will not need to install this separate hotfix.

MS07-056, Windows Mail on Windows Vista
In looking at MS07-056, the Outlook Express and Windows Mail bulletin for this month, I want to call attention to a mitigating factor for Windows Mail on Windows Vista. Because of this mitigating factor, we have rated this issue as Important on Windows Vista rather than Critical, as we have on the other versions of Windows.

The vulnerability this bulletin addresses can enable code execution in the user's security context for all affected versions of Windows. However, if an attacker attempts to exploit this vulnerability by convincing a user on Windows Vista to click on a malicious hyperlink, Internet Explorer Protected Mode raises an additional security dialog that the user must acknowledge before an attack could be successful.

Because Internet Explorer Protected Mode introduces an additional step of user interaction that can protect against attacks, we've rated this issue as Important. This is consistent with ratings that we've made for other vulnerabilities, such as those related to Microsoft Office files – where a newer version that requires an additional level of user interaction for a successful attack is rated with lower severity. For example, this month's Microsoft Word bulletin, MS07-060, is rated as Critical for Word 2000, but Important for Word 2002 because of a similar layer of security.

Conclusion
In closing, I want to encourage you to take a moment and register for our regular monthly security bulletin webcast. For October 2007, it will be held on Wednesday, Oct. 10 at 11 a.m. Pacific Time.

Mike Reavey, and I, will review information about each bulletin to help you with your planning and deployment. Most importantly, after our review session, we will answer your questions live with information from our assembled panel of experts.

If you can't make the live webcast, you can also access it as an on-demand webcast.

Take a moment and mark your calendars for the November, 2007, monthly bulletin release. The release itself is scheduled for Tuesday, November 13, 2007, and the advance notification is scheduled for Thursday, November 8, 2007. Look for the November edition of this column on release day, with information to help you with your planning and deployment of the November 2007 security bulletins.