Rethink SharePoint Authentications
September 27, 2013
Microsoft’s recent SharePoint security bulletin left a few developers shaking in their the code. According to Threat Post’s article, “SharePoint Fixes Priority For September 2013 Patch Tuesday,” online SharePoint installations are vulnerable to thirteen critical threats and Microsoft only patched ten of them. The threats lead to remote code execution on the collaboration server. Nearly all versions of SharePoint are affected and any installation that has disabled the user highest risk.
The CVE-2013-1330 bug is the worst threat. It is a remote code execution that gives the attacker privileges in the context of W3WP service account, but it requires authentication to gain access. If that feature is turned off, your SharePoint installation is a delightful smorgasbord of hacked information.
Some are surprised about Microsoft’s alarm and user ignorance:
“ ‘It’s interesting that Microsoft prioritized the SharePoint bulletin as highly as they did. In theory, the vulnerability requires authentication. Given the frequency with which people disable SharePoint authentication and the ease of access to documentation on that process, the priority needs to be that high,’ said Tyler Reguly, technical manager of security research and development at Tripwire. ‘People know their computers and email need good passwords. It boggles my mind that we see so many SharePoint deployments in anonymous mode. ‘”
I have been told multiple times by online expert Stephen E Arnold of Arnold IT to always take security risks seriously and find a solution quickly or private information will be stolen faster than a Google search.
Whitney Grace, September 27, 2013