YES, SharePoint 2010 is old, over 6 years old actually.
YES, its no longer officially supported by Microsoft, without very specific Premiere Support that is.
YES, we still see a lot of it out there!
YES, if you're going to continue to stick with SharePoint 2010 for now, you must keep current with security patches!
One of the most common security issues we see with SharePoint 2010 farms is that administrators have not kept up with security patches and updates. This not only makes it difficult to support and maintain the environment, but it also opens your farm up to security vulnerabilities - security vulnerabilities that have already been fixed!
This article reviews all SharePoint 2010 security updates that have been released in the last 5+ years since Service Pack 1, and discusses the importance of keeping up to date with those patches.
Why Keep Up to Date with SharePoint 2010 Security Patches?Its generally accepted that all (or most) corporate, government or enterprise SharePoint farms contain sensitive data of one form or another. As such, security threats to your SharePoint farm represent security threats to your sensitive data. The security threats can come from many sources, which are often referred to as 'attack vectors' by security geeks, including:
- These can be traditional external threat actors or people trying to hack into your network and then your SharePoint farm.
- They can be internal threats, or your own employees, looking to steal information for either some form of sabotage, competitive advantage or a partisan/political cause that they believe in.
- Or, and more commonly, they can be due to malware that is accidentally (or sometimes intentionally) brought into your enterprise environment.
This is a generalization, but... Internal threats will tend to rely on some form of social engineering to gain 'legitimate' access to the repository and therefore the data...
However, external attackers or malware will tend to exploit some security vulnerability in your server environment in order to access a repository that's storing sensitive data. It is these security vulnerabilities that the many security patches that have been released over the years have been specifically built to fix. Many SharePoint 2010 environments we've looked at are typically running without having been patched in years! We've assessed several over the last year and many SharePoint 2010 farms have in fact have only been patched to SharePoint 2010 Service Pack 1, which was released in June 2011. If you think about it, that's over 5 years worth of security updates that are missing from those farms, leaving it open to significant vulnerabilities and attacks!
List of SharePoint 2010 Security Updates since Service Pack 1First of all, let me give a huge thank you to Todd Klindt (@ToddKlindt) who has maintained a list of SharePoint build versions and links to the cumulative updates for many years, which can be found here. Much of my data starts with his table and then is correlated with Microsoft issued security bulletins each month. Thank you also to Josh Jackson for helping me put this list together!
The following table builds on top of Todd's list to include the security updates that have been released with each update since Service Pack 1. All important or critical security updates are shown in Red. I'm including this here to help readers understand the importance of updating their farm and to help decide which security updates to deploy.
*Note: This list does not contain patches specific to SharePoint 2010 Foundation, only SharePoint 2010 Server.
Microsoft Service Packs, Cumulative Updates (CU) and Public Updates (PU)These are all different types of updates with specific characteristics. Service Packs are a tested, cumulative set of all hotfixes, security updates, critical updates, and updates up to a specific point in time. They often denote a support level for the general product, meaning you should be upgraded to the latest service pack in order to maintain your farm in a supported state. More information on the definitions can be found here.
As a standard practice, you must also make sure that you thoroughly test these updates on a pre-production environment before applying them to your production farms.
Very obviously its important to keep your SharePoint farm, or any enterprise software, current by applying the latest hotfixes, updates, and service packs. These updates contain important security fixes, product enhancements and improvements. Deploying a security update usually requires some form of change management/approval process for the server farm, and that can sometimes have business implications due to downtime required to apply updates to SharePoint 2010. My hope is that this table and article can help IT administrators justify the time and change approval process required to patch their SharePoint 2010 farms and keep them current with the latest security updates available.