Welcome - Sharing information with the community related to Microsoft SharePoint security, information protection and permissions. Topics will also cover identity federation, claims and software development. Articles will at times be technical and focussed at developers/architects. They will also be higher level and discuss concepts and customer use cases. Have a look around, share your thoughts and I do hope you find some helpful content.
SharePoint 2010 Security Patches - How Vulnerable Are You? UPDATED: December 2016
YES, this blog post is about SharePoint 2010!
YES, SharePoint 2010 is old, over 6 years old actually. YES, its no longer officially supported by Microsoft, without very specific Premiere Support that is. YES, we still see a lot of it out there! YES, if you're going to continue to stick with SharePoint 2010 for now, you must keep current with security patches!
One of the most common security issues we see with SharePoint 2010 farms is that administrators have not kept up with security patches and updates. This not only makes it difficult to support and maintain the environment, but it also opens your farm up to security vulnerabilities - security vulnerabilities that have already been fixed!
This article reviews all SharePoint 2010 security updates that have been released in the last 5+ years since Service Pack 1, and discusses the importance of keeping up to date with those patches.
Why Keep Up to Date with SharePoint 2010 Security Patches?
Its generally accepted that all (or most) corporate, government or enterprise SharePoint farms contain sensitive data of one form or another. As such, security threats to your SharePoint farm represent security threats to your sensitive data. The security threats can come from many sources, which are often referred to as 'attack vectors' by security geeks, including:
These can be traditional external threat actors or people trying to hack into your network and then your SharePoint farm.
They can be internal threats, or your own employees, looking to steal information for either some form of sabotage, competitive advantage or a partisan/political cause that they believe in.
Or, and more commonly, they can be due to malware that is accidentally (or sometimes intentionally) brought into your enterprise environment.
This is a generalization, but... Internal threats will tend to rely on some form of social engineering to gain 'legitimate' access to the repository and therefore the data...
"oh just give me Full Control so I can get access to the data I need to get my job done today".
However, external attackers or malware will tend to exploit some security vulnerability in your server environment in order to access a repository that's storing sensitive data. It is these security vulnerabilities that the many security patches that have been released over the years have been specifically built to fix. Many SharePoint 2010 environments we've looked at are typically running without having been patched in years! We've assessed several over the last year and many SharePoint 2010 farms have in fact have only been patched to SharePoint 2010 Service Pack 1, which was released in June 2011. If you think about it, that's over 5 years worth of security updates that are missing from those farms, leaving it open to significant vulnerabilities and attacks!
List of SharePoint 2010 Security Updates since Service Pack 1
First of all, let me give a huge thank you to Todd Klindt (@ToddKlindt) who has maintained a list of SharePoint build versions and links to the cumulative updates for many years, which can be found here. Much of my data starts with his table and then is correlated with Microsoft issued security bulletins each month. Thank you also to Josh Jackson for helping me put this list together!
The following table builds on top of Todd's list to include the security updates that have been released with each update since Service Pack 1. All important or critical security updates are shown in Red. I'm including this here to help readers understand the importance of updating their farm and to help decide which security updates to deploy.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
There are updates to various security related components: selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx. Security related fixes included in this update pertain to an issue with alerts not sent to a claims based user that has not logged in for 24 hours, and size limitations on audit trail reports.
There are updates to various security related components: selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx. Security related fixes included I this update pertain to an issue with alerts not sent to a claims based user that has not logged in for 24 hours, and size limitations on audit trail reports.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
Critical vulnerability: could allow remote code execution if an authenticated attacker sends specially crafted page content to a target SharePoint server.
Office documents that are digitally signed and uploaded to a document library can have their signature invalidated when a new content type is added to a library.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
Although there are updates to various security related components (security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, securitytoken.svc, spsecuritysettings.aspx) the changes are not classified as security fixes.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, spsecuritysettings.aspx) the changes are not classified as security fixes.
Although there are updates to various security related components (selectsecurity.aspx, security.aspx, spsecuritysettings.aspx) the changes are not classified as security fixes.
Important vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-012.
Critical vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-022.
Critical vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Word file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-033.
Important vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Office file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-046.
Important vulnerability: could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account on the target SharePoint site. More details available at: https://technet.microsoft.com/library/security/MS15-047.
Important vulnerability: could allow remote code execution if an attacker convinces a user to open or preview a specially crafted Microsoft Office file in an affected version of Office. More details available at: https://technet.microsoft.com/library/security/ms15-046.
Important vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-070.
Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS15-081.
Important vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-110.
Important vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-116.
Important vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS15-116.
Critical vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-015.
Important vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-029.
Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-042.
Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-054.
Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-070.
Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-088.
Critical vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-107.
Critical vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-107.
Critical vulnerability focused on Excel Services: could allow remote code execution if a user opens a specially crafted Microsoft Office file. More details available at: https://technet.microsoft.com/library/security/MS16-121.
Important vulnerability focused on Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-133.
Important vulnerability focused on Excel and Word Automation Services: could allow remote code execution if a user opens a specially crafted Office file. More details available at: https://technet.microsoft.com/library/security/MS16-148.
*Note: This list does not contain patches specific to SharePoint 2010 Foundation, only SharePoint 2010 Server.
Microsoft Service Packs, Cumulative Updates (CU) and Public Updates (PU)
These are all different types of updates with specific characteristics. Service Packs are a tested, cumulative set of all hotfixes, security updates, critical updates, and updates up to a specific point in time. They often denote a support level for the general product, meaning you should be upgraded to the latest service pack in order to maintain your farm in a supported state. More information on the definitions can be found here.
As a standard practice, you must also make sure that you thoroughly test these updates on a pre-production environment before applying them to your production farms.
Very obviously its important to keep your SharePoint farm, or any enterprise software, current by applying the latest hotfixes, updates, and service packs. These updates contain important security fixes, product enhancements and improvements. Deploying a security update usually requires some form of change management/approval process for the server farm, and that can sometimes have business implications due to downtime required to apply updates to SharePoint 2010. My hope is that this table and article can help IT administrators justify the time and change approval process required to patch their SharePoint 2010 farms and keep them current with the latest security updates available.
This is the first time I am reading your article and its quite confusing for me since i am not a computer student, however i will be sharing this article with a friend of mine.
This SharePoint 2010 Security Patches are amazing! I want to buy them for my children and to make his little paper creatures with them. I was looking for the book at Essaylab.org but haven't found the one I wanted. Do you know some other places where I can look for it?
It is really a great and helpful piece of info. I am glad that you shared this helpful information with us. Please keep us informed like this. Thank you for sharing. Pmp Training In Hyderabad
free triple diamond slots Already now you can simply take and receive the highest quality money at online casinos. You can just take and use a great site that provides a wide selection of very cool guys who will play very cool types of casino games. I hope you enjoy playing in the casino
blood pressure watch Keep your workout schedule fresh and invigorating. Create your own custom running, cycling, cardio or strength workouts, and download them to your watch. Then, your smartwatch will keep track of the exercises, reps, sets and rest time for you.
Who is to guarantee that I won't require assistance in order to complete the topics for my marketing management assignment service? He might thus employ this service, in my opinion. After reading your blog post, I believe you should utilise this service since I believe your essay writing service provider can produce a great document that I can use to demonstrate to my friends how awesome it is.
It's a really meaningful word and effort to me. And as well believe that this is a pretty plus genuinely submit. Thanks so much for the great updates. You've just amazed me. Thanks so very much for sharing. aaua pre-degree admission form closing date
Such noteworthy information about the necessity to promptly install a security patch! Some firms fail to appreciate the dangers of holding off updates, which exposes them to cybercriminals. Similar to the dissertation services uk students that offer research, quality check and timely revision, it is of paramount importance to update security patches frequently. It is this practice that can help you avoid major threats in the future in case you initiate proactive measures.
This is the first time I am reading your article and its quite confusing for me since i am not a computer student, however i will be sharing this article with a friend of mine.
ReplyDeleteThis SharePoint 2010 Security Patches are amazing! I want to buy them for my children and to make his little paper creatures with them. I was looking for the book at Essaylab.org but haven't found the one I wanted. Do you know some other places where I can look for it?
ReplyDeleteIt is really a great and helpful piece of info. I am glad that you shared this helpful information with us. Please keep us informed like this. Thank you for sharing.
ReplyDeletePmp Training In Hyderabad
free triple diamond slots Already now you can simply take and receive the highest quality money at online casinos. You can just take and use a great site that provides a wide selection of very cool guys who will play very cool types of casino games. I hope you enjoy playing in the casino
ReplyDeletebest rabcat casinos here
ReplyDeleteWelcome to this page
blood pressure watch Keep your workout schedule fresh and invigorating. Create your own custom running, cycling, cardio or strength workouts, and download them to your watch. Then, your smartwatch will keep track of the exercises, reps, sets and rest time for you.
ReplyDeleteSome truly interesting points you have written. Assisted me a lot, just what I was looking for : D. info
ReplyDelete
ReplyDeleteWho is to guarantee that I won't require assistance in order to complete the topics for my marketing management assignment service? He might thus employ this service, in my opinion. After reading your blog post, I believe you should utilise this service since I believe your essay writing service provider can produce a great document that I can use to demonstrate to my friends how awesome it is.
It's a really meaningful word and effort to me. And as well believe that this is a pretty plus genuinely submit. Thanks so much for the great updates. You've just amazed me. Thanks so very much for sharing. aaua pre-degree admission form closing date
ReplyDeleteSuch noteworthy information about the necessity to promptly install a security patch! Some firms fail to appreciate the dangers of holding off updates, which exposes them to cybercriminals. Similar to the dissertation services uk students that offer research, quality check and timely revision, it is of paramount importance to update security patches frequently. It is this practice that can help you avoid major threats in the future in case you initiate proactive measures.
ReplyDelete