Microsoft Security Bulletin MS14-073 - Important

Vulnerability in Microsoft SharePoint Foundation Could Allow Elevation of Privilege (3000431)

Published: November 11, 2014

Version: 1.0

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft SharePoint Server. An authenticated attacker who successfully exploited this vulnerability could run arbitrary script in the context of the user on the current SharePoint site. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

This security update is rated Important for supported editions of Microsoft SharePoint Server 2010. For more information, see the Affected Software section.

The security update addresses the vulnerability by correcting how SharePoint Server sanitizes modified lists within the SharePoint mobile browser view. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3000431.

 

Affected Software

The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Microsoft Server Software

Software Component Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft SharePoint Foundation 2010
Microsoft SharePoint Server 2010 Service Pack 2 Microsoft SharePoint Foundation 2010 Service Pack 2 (2889838) Elevation of Privilege Important 2589365 in MS13-084

 

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the November bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software SharePoint Elevation of Privilege Vulnerability - CVE-2014-4116 Aggregate Severity Rating
Microsoft SharePoint Server 2010
Microsoft SharePoint Foundation 2010 Service Pack 2 Important  \ Elevation of Privilege Important

 

SharePoint Elevation of Privilege Vulnerability - CVE-2014-4116

An elevation of privilege vulnerability exists when SharePoint Server does not properly sanitize page content in SharePoint lists. An authenticated attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the logged-on user. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. The security update addresses the vulnerability by correcting how SharePoint Server sanitizes modified lists within SharePoint mobile browser view.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could execute arbitrary script in the security context of the logged-on user. The script could then, for example, take actions on the affected SharePoint site on behalf of the logged-on user with the same permissions as the logged-on user.

How could an attacker exploit the vulnerability?
An attacker could modify certain lists within SharePoint to exploit this vulnerability, and then convince users to browse to the modified list.

What systems are primarily at risk from the vulnerability?
Systems running an affected version of SharePoint Server that also support the mobile browser view are primarily at risk.

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information:

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (November 11, 2014): Bulletin published.

Page generated 2015-01-14 11:54Z-08:00.