Follow me on Twitter @AntonioMaio2

Monday, December 19, 2016

SharePoint 2010 Security Patches - How Vulnerable Are You?
UPDATED: December 2016

YES, this blog post is about SharePoint 2010! 

YES, SharePoint 2010 is old, over 6 years old actually. 
YES, its no longer officially supported by Microsoft, without very specific Premiere Support that is.
YES, we still see a lot of it out there!
YES, if you're going to continue to stick with SharePoint 2010 for now, you must keep current with security patches!

One of the most common security issues we see with SharePoint 2010 farms is that administrators have not kept up with security patches and updates.  This not only makes it difficult to support and maintain the environment, but it also opens your farm up to security vulnerabilities - security vulnerabilities that have already been fixed! 

This article reviews all SharePoint 2010 security updates that have been released in the last 5+ years since Service Pack 1, and discusses the importance of keeping up to date with those patches.

Why Keep Up to Date with SharePoint 2010 Security Patches?

Its generally accepted that all (or most) corporate, government or enterprise SharePoint farms contain sensitive data of one form or another.  As such, security threats to your SharePoint farm represent security threats to your sensitive data.  The security threats can come from many sources, which are often referred to as 'attack vectors' by security geeks, including:
  • These can be traditional external threat actors or people trying to hack into your network and then your SharePoint farm. 
  • They can be internal threats, or your own employees, looking to steal information for either some form of sabotage, competitive advantage or a partisan/political cause that they believe in.
  • Or, and more commonly, they can be due to malware that is accidentally (or sometimes intentionally) brought into your enterprise environment.

This is a generalization, but... Internal threats will tend to rely on some form of social engineering to gain 'legitimate' access to the repository and therefore the data...
"oh just give me Full Control so I can get access to the data I need to get my job done today"

However, external attackers or malware will tend to exploit some security vulnerability in your server environment in order to access a repository that's storing sensitive data.  It is these security vulnerabilities that the many security patches that have been released over the years have been specifically built to fix.  Many SharePoint 2010 environments we've looked at are typically running without having been patched in years!  We've assessed several over the last year and many SharePoint 2010 farms have in fact have only been patched to SharePoint 2010 Service Pack 1, which was released in June 2011.  If you think about it, that's over 5 years worth of security updates that are missing from those farms, leaving it open to significant vulnerabilities and attacks!

List of SharePoint 2010 Security Updates since Service Pack 1

First of all, let me give a huge thank you to Todd Klindt (@ToddKlindt) who has maintained a list of SharePoint build versions and links to the cumulative updates for many years, which can be found here.  Much of my data starts with his table and then is correlated with Microsoft issued security bulletins each month.  Thank you also to Josh Jackson for helping me put this list together!

The following table builds on top of Todd's list to include the security updates that have been released with each update since Service Pack 1. All important or critical security updates are shown in Red. I'm including this here to help readers understand the importance of updating their farm and to help decide which security updates to deploy.


Version Release Category Security
Criticality
KB Article Security
Bulletin
Security Related Notes
14.0.6029.1000 May 2011 Service Pack 1 Critical KB2460045 Required to maintain Microsoft support.
14.0.6106.5002 June 2011 - Mark 2 Cumulative Update Minor KB2536599
14.0.6109.5002 August 2011 Cumulative Update Minor KB2553048 Fix included for a minor security issue with the audience picker control.
14.0.6112.5000 October 2011 Cumulative Update Minor KB2596505
14.0.6114.5000  December 2011 Cumulative Update Minor KB2597014
14.0.6117.5002 February 2012 Cumulative Update Minor KB2597150
14.0.6120.5000 April 2012 - Mark1 (Removed) NA
14.0.6120.5006 April 2012 - Mark 2 Cumulative Update Minor KB2598151
14.0.6123.5002 June 2012 Cumulative Update Minor KB2598354
14.0.6126.5000 August 2012 Cumulative Update Minor KB2687353
14.0.6129.5003 October 2012 Cumulative Update Minor KB2687564
14.0.6131.5003 December 2012 Cumulative Update Minor KB2596955
14.0.6134.5000 February 2013 Cumulative Update Minor KB2767793 This update does contain a modified securitytoken.svc service, but the changes are not classified specifically as security fixes.
14.0.6134.5003 February 2013 Critical On Demand Fix Minor Article
14.0.6137.5000 April 2013 Cumulative Update Minor KB2775353 Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7015.1000 May 2013 Service Pack 2 Critical KB2687453 Required to maintain Microsoft support.
14.0.7102.5000 June 2013 Cumulative Update Minor KB2817363 Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7102.5004 July 2013 Cumulative Update Minor KB2817527 Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7106.5000 August 2013 - Mark 1 Cumulative Update Minor KB2817570 There are updates to various security related components: selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx. Security related fixes included in this update pertain to an issue with alerts not sent to a claims based user that has not logged in for 24 hours, and size limitations on audit trail reports.
14.0.7106.5002 August 2013 - Mark 2 Cumulative Update Minor KB2825949 There are updates to various security related components: selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx. Security related fixes included I this update pertain to an issue with alerts not sent to a claims based user that has not logged in for 24 hours, and size limitations on audit trail reports.
14.0.7110.5000 October 2013 Cumulative Update Minor KB2825786
14.0.7113.5000 December 2013 Cumulative Update Minor KB2849971
14.0.7116.5000 February 2014 Cumulative Update Minor KB2863913 
14.0.7121.5004 April 2014 Cumulative Update Minor KB2878250 Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7123.5000 May 2014 Security Update Critical KB2952166 MS14-022 Critical vulnerability: could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.
14.0.7125.5000 June 2014 Cumulative Update Minor KB2880972 Office documents that are digitally signed and uploaded to a document library can have their signature invalidated when a new content type is added to a library.
14.0.7128.5001 July 2014 Cumulative Update Minor KB2883005 Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7130.5000 August 2014 Hot Fix (Not Cumulative) Minor KB2889831 Although there are updates to various security related components (security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7132.5000 September 2014 Cumulative Update Minor KB2883103 Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7134.5000 October 2014 Hot Fix (Not Cumulative) Minor KB2899490 
14.0.7137.5000 November 2014 Cumulative Update Minor KB2899478  Although there are updates to various security related components (selectsecurity.aspx, security.aspx, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7140.5000 December 2014 Cumulative Update Minor KB2899583 Although there are updates to various security related components (selectsecurity.aspx, security.aspx, spsecuritysettings.aspx) the changes are not classified as security fixes.
14.0.7143.5001 February 2015 Cumulative Update +

Security Update
Important KB2899558 MS15-012 Important vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-012.
14.0.7145.5000 March 2015 Cumulative Update +
Security Update
Critical KB2956201 MS15-022 Critical vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-022.
14.0.7100.5000 April 2015 Cumulative Update +
Security Update
Critical KB2965294 MS15-033 Critical vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-033.
14.0.7149.5000 May 2015 Cumulative Update +
Security Update
Important KB3015569 MS15-046 Important vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Office file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-046.
MS15-047 Important vulnerability: could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account on the target SharePoint site. More details available at: https://technet.microsoft.com/library/security/MS15-047.
14.0.7151.5001 June 2015 Cumulative Update +
Security Update
Important KB3054880 MS15-046 Important vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Office file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-046.
14.0.7153.5000 July 2015 Cumulative Update +
Security Update
Important KB3054975 MS15-070 Important vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-070.
14.0.7155.5000 August 2015 Cumulative Update +
Security Update
Critical KB3055040 MS15-081 Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS15-081.
14.0.7157.5001 September 2015 Cumulative Update Minor KB3085521
14.0.7160.5000 October 2015 CU Cumulative Update +
Security Update
Important KB3085603 MS15-110 Important vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-110.
14.0.7162.5000 November 2015 Cumulative Update +
Security Update
Important KB3101534 MS15-116 Important vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-116.
MS15-116 Important vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-116.
14.0.7164.5000 December 2015 Cumulative Update Minor KB3114408
14.0.7166.5000 February 2016 Cumulative Update +
Security Update
Critical KB3114558 MS16-015 Critical vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-015.
14.0.7167.5000 March 2016 Cumulative Update +
Security Update
Important KB3114882 MS16-029 Important vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-029.
14.0.7168.5000 April 2016 Cumulative Update +
Security Update
Critical KB3114995 MS16-042 Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-042.
14.0.7169.5000 May 2016 Cumulative Update +
Security Update
Critical KB3115126 MS16-054 Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-054.
14.0.7170.5000 June 2016 Cumulative Update +
Security Update
Critical KB3115245 MS16-070 Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-070.
14.0.7171.5002 July 2016 Cumulative Update +
Security Update
Critical KB3115319 MS16-088 Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-088.
14.0.7173.5000 September 2016 Cumulative Update +
Security Update
Critical KB3115473 MS16-107 Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-107.
MS16-107 Critical vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-107.
14.0.7174.5001 October 2016 Cumulative Update +
Security Update
Critical KB3118387 MS16-121 Critical vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-121.
14.0.7176.5000 November 2016 Cumulative Update +
Security Update
Important KB3127957 MS16-133 Important vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-133.
14.0.7177.5000 December 2016 Cumulative Update +
Security Update
Important KB3128036 MS16-148 Important vulnerability focused on Excel and Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-148.

*Note: This list does not contain patches specific to SharePoint 2010 Foundation, only SharePoint 2010 Server.

Microsoft Service Packs, Cumulative Updates (CU) and Public Updates (PU)

These are all different types of updates with specific characteristics.  Service Packs are a tested, cumulative set of all hotfixes, security updates, critical updates, and updates up to a specific point in time.  They often denote a support level for the general product, meaning you should be upgraded to the latest service pack in order to maintain your farm in a supported state.  More information on the definitions can be found here.

As a standard practice, you must also make sure that you thoroughly test these updates on a pre-production environment before applying them to your production farms.

Very obviously its important to keep your SharePoint farm, or any enterprise software, current by applying the latest hotfixes, updates, and service packs. These updates contain important security fixes, product enhancements and improvements. Deploying a security update usually requires some form of change management/approval process for the server farm, and that can sometimes have business implications due to downtime required to apply updates to SharePoint 2010.  My hope is that this table and article can help IT administrators justify the time and change approval process required to patch their SharePoint 2010 farms and keep them current with the latest security updates available.

Happy patching!
   -Antonio

1 comment:

  1. This is the first time I am reading your article and its quite confusing for me since i am not a computer student, however i will be sharing this article with a friend of mine.

    ReplyDelete