We’ve come across a SharePoint security concern that, if you are not already aware of, requires your attention.

To be clear – we’re not fans of fear mongering. SharePoint patches pop up frequently.  We’ve identified this one as particularly critical.
We are currently applying this patch internally to protect ourselves and to develop a response to assist our clients with minimal disruption.

We suggest you or your IT team treat this as a top priority and either address this yourself or schedule time with an itgroove consultant to get the patch deployed.

Here’s the background of the issue:
• It’s classified as a “Critical patch” – it’s big enough that the US Department of Homeland Security is addressing it on their site.
• It impacts SharePoint 2007, 2010, 2013 and Microsoft Web Apps (Office Online).
• This patch is particularly important for sites that are connect to the internet.

Here’s the technical details:
o It’s an XSS exploit/security patch – basically un-sanitized user input – making it very unlikely that it would be pulled or retro-fitted.
o This affects authorized users or anonymously exposed sites.
o It is for 3 CVEs, none under public attack, and they do require social engineering aimed at your users to trigger.

To learn more, here are some sources to review:
• https://isc.sans.edu/diary/Microsoft+May+2014+Patch+Tuesday/18113
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1754
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1754

Please Contact Us to book time with one of our consultants for assistance.