Hello. Today we released Security Advisory 983438, addressing a cross-site scripting (XSS) vulnerability in SharePoint Server 2007 and SharePoint Services 3.0 that could allow Elevation of Privilege (EoP) within the SharePoint site itself. Servers are at reduced risk from Internet Explorer 8 clients, as the Internet Explorer 8 XSS filter helps to mitigate the issue in the internet zone. We are not aware of any active attacks at this time.
Customers running SharePoint Server 2007 or SharePoint Services 3.0 are encouraged to review and apply the mitigations and workarounds discussed in the Security Advisory. These include restricting access to the SharePoint help.aspx XML files and enabling the Internet Explorer 8 XSS filter in the intranet zone.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
As always, Microsoft strives to work with security researchers to address vulnerabilities in our software. This helps ensure that customers receive comprehensive, high-quality updates before cyber criminals learn of – and work to exploit – a vulnerability. Responsible disclosure protects the computer ecosystem and individual computer users from harm.
Anyone believed to have been affected by this issue can visit: http://support.microsoft.com and should contact the national law enforcement agency in their country.
We will continue to share updates on this blog and through our Twitter feed (@msftsecresponse).
Group Manager, Response Communications
*This posting is provided “AS IS” with no warranties, and confers no rights.*