Microsoft has launched an investigation into an alleged zero-day flaw in its SharePoint groupware package following the public posting of exploit code by a security firm.
As reported over on
ITworld, the cross-site scripting vulnerability SharePoint was originally reported to Microsoft on the 12th of April by security firm High-Tech Bridge. When Microsoft didn't fix the flaw fast enough for the company's consultants, it went
public with a post to the Bugtraq security mailing list.
Unfortunately for Microsoft, the High-Tech Bridge's posting - entitled "
XSS in Microsoft SharePoint Server 2007" - included not only a full description of the as-yet unpatched vulnerability but a simple proof of concept exploit example designed to trigger a JavaScript alert dialog.
While the code posted by High-Tech Bridge is innocuous enough as-is, there are fears that it could be easily exploited by ne'er-do-wells to run third-party code on affected SharePoint servers to access protected documents and download private data.
With no patch yet available from Microsoft, and with many corporations using SharePoint to power their Internet-facing employee Intranets - complete with proprietary content such as product plans, customer information, and even financial information - a two-week delay from first notifying the vendor and then making the vulnerability public seems a bit harsh, although High-Tech Bridge is quick to point out that those are its standard terms of disclosure.
Microsoft has kept quiet regarding the vulnerability so far, responding only to say that it is tracking the issue and will release its own security advisory with mitigation information and any details of a planned patch as soon as possible.
Do you believe that High-Tech Bridge was remiss in only allowing Microsoft two weeks to fix the flaw before going public, or should Microsoft have got workaround information to companies long before the deadline expired? Share your thoughts over in
the forums.
Want to comment? Please log in.