Microsoft to fix critical vulnerability
Microsoft will release just two security updates next Patch Tuesday, the 11th of May. The updates will fix a vulnerability in Windows and a vulnerability in Office and Visual Basic for Applications. Microsoft say only the bugs in Windows and VBA are rated critical. The operating system bug is also present in Windows 7 and Server 2008, but cannot be exploited under the default installation of these operating systems.
The cross-site scripting vulnerability in SharePoint will remain unpatched. It can be exploited by attackers to read authentication cookies, manipulate user accounts or access confidential data. However, users do have to click on a crafted link to fall victim to this attack.
According to Microsoft, the problem does not arise with Internet Explorer 8, as it contains an XSS filter which detects and blocks the attack. Until the patch is deployed, Microsoft is advising users to block access to the script in question. According to Microsoft, administrators can do so by executing the following commands on a SharePoint server:
cacls "%ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
cacls "%ProgramFiles(x86)%\Common Files\Microsoft Shared\Web Server Extensions\12\TEMPLATE\LAYOUTS\Help.aspx" /E /P everyone:N
See also:
- Microsoft issues warning about XSS hole in SharePoint, a report from The H.
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
