Follow me on Twitter @AntonioMaio2

Friday, February 12, 2016

Vulnerability: SharePoint 2007, 2010 and 2013 - Security Bulletin MS16-015 CRITICAL - Feb 2016 CU

This week Microsoft released a critical security bulletin related to vulnerabilities in several versions of Microsoft Office (2007, 2010, 2013, 2013RT, 2016, 2011 for Mac, 2016 for Mac).  In addition, SharePoint 2007, 2010 and 2013 are also affected.  Full details on the vulnerabilities can be found here: https://technet.microsoft.com/library/security/MS16-015.

The following services within the listed versions of SharePoint are specifically affected:
1. Microsoft Office SharePoint Server 2007 (MOSS)
  • Excel Services in SharePoint Server 2007 Service Pack 3 (32 bit edition)
  • Excel Services in SharePoint Server 2007 Service Pack 3 (64 bit edition)

2. Microsoft SharePoint 2010
  • Excel Services in SharePoint Server 2010 Service Pack 2

3. Microsoft SharePoint 2013
  • Excel Services in SharePoint Server 2013 Service Pack 1
  • Word Automation Services in SharePoint Server 2013 Service Pack 1

4. Microsoft Office Web Apps Server 2010 Service Pack 2
5. Microsoft Office Web Apps Server 2013 Service Pack 1

Background Summary (from Microsoft's Bulletin)

    Full details on the vulnerabilities can be found here: https://technet.microsoft.com/library/security/MS16-015. According to the official Microsoft Bulletin the following is a summary of the vulnerability:

    The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

    In addition, a cross-site scripting (XSS) vulnerability exists in SharePoint Foundation 2013 SP1 which could allow remote attackers to inject arbitrary web script or HTML via a specially crafted request.

    The security updates provided by Microsoft address the vulnerabilities by:
    • Correcting how Office handles objects in memory
    • Providing a validly signed binary
    • Helping to ensure that SharePoint Server properly sanitizes web requests

    Security Resources

    • VULNERABILITY DETAILS: All the information you need about this vulnerability and links to the required security patch can be found here:  https://technet.microsoft.com/library/security/MS16-015
    • SECURITY UPDATES: Links to the security updates addressing all of these issues can be found at the link above, however a more direct link to the updates page for these security patches is the following: https://support.microsoft.com/en-us/kb/3134226.
    • REPORTED EXPLOITS: According to Microsoft, at this time there are no reported exploits that have occurred using these vulnerabilities.

    Additional details regarding the SharePoint related vulnerabilities are available at the National Vulnerability Database at the following links:

    Security Strategy for Vulnerabilities

    This bulletin reminds us that a comprehensive security strategy is needed for managing our server applications to ensure that we are alerted to critical security updates and we can make informed decisions about updating our servers to ensure that they are protected.  This is especially true when enterprises rely on SharePoint to store and manage sensitive corporate data. Sometimes these are managed through automatic updates.  In other circumstances, automatic updates are turned off on Production environments so that patches and updates can be tested in Staging environments prior to deployment to Production systems.  In many cases a mix of strategies is used, where critical security updates are automatically installed but other updates are not, so that they can be first tested in staging.  Which ever strategy your organization chooses, its important to identify one, ensure that its comprehensive and documented, and that it includes active periodic review of security updates on all server applications.

    Personally, I'm not a fan of automatic updates.  I like to know what is getting installed on my systems, especially my servers - even when it comes to security updates.  But not having updates applied automatically requires active research or alerts so that we are informed when vulnerabilities are found and security updates are available.  I don't want to criticize automatic security updates - depending on your comfort level they are a viable strategy for managing security and protecting our servers from vulnerabilities.  I am a big fan of Microsoft's technical security notification service, which you can register for here:




    Once again, for the vulnerabilities discussed here, please refer to Microsoft's official bulletin for all details and required security patches which is located here:  https://technet.microsoft.com/library/security/MS16-015