A new security update for SharePoint (WSSv3 / MOSS2007) got released:
Microsoft Security Bulletin MS10-039 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
See also KB979445 -> MS10-039: Description of the security update for Microsoft Office SharePoint Server 2007: June 8, 2010
In case you have installed Feb 2010 CU for WSS V3 you should be safe. We are offering our updates in a cumulative update cycle so our February Update already contains the fix mentioned in the security bulletin. Unfortunately not all SharePoint environments worldwide are updated regularly so just a reminder to think about an update.
*** <Update 2010-07-15> ***
The announced SharePoint security fix (MS10-039) had some effects after installing it. since yesterday, we updated the KB Article KB983444 to give you more insights when problems after installing it happens.
Note! The KB 979445 is not updated because the cause of the known issues are more WSS related than MOSS.
Related posts and info (added 2010-11-19):
After SharePoint security update MS10-039 Central Admin and web pages not working
944267 How to troubleshoot common errors that occur when you run the SharePoint Products and Technologies Configuration Wizard on a computer that is running Windows SharePoint Services 3.0 or SharePoint Server 2007
MS10-039: Description of the security update for Windows SharePoint Services 3.0: June 8, 2010
MS10-039: Description of the security update for Microsoft Office SharePoint Server 2007: June 8, 2010
MS10-039: Vulnerabilities in Microsoft SharePoint could allow elevation of privilege (KB 2028554)
*** </Update 2010-07-15> ***
6/21/2010 – From Joel Oleson’s Blog:
SharePoint has been pretty luck over the years to avoid the focus of hackers and those looking to create exploits.
About a month ago a vulnerability was reported for SharePoint relating to a possible exploit of a 0day elevation of priviledges via a DOS attack to help. The workaround at the time was to disable the help feature in SharePoint.
V1.0 (April 29, 2010): Advisory published.
V2.0 (June 8, 2010): Advisory updated to reflect publication of security bulletin.
<update (June 22, 2010)>The SharePoint Team has responded with a blog titled “Installing KB938444” tracking a small number of customers who have the issue after installing the patch via windows update. The small business server folks also have a post about Central Admin not being accessible after installing KB938444. They also have some suggestions for troubleshooting the patching as it relates to SharePoint patches in general which I recommend reading.</update>
Microsoft responded by Microsoft Security Advisory (983438) and have issued MS10-039 to address this issue. Creating a patch that was flagged as critical. Those which had their SharePoint servers set to auto update were surprised when they came in to find their SharePoint servers were down, or reporting can’t connect to config database.
There apparently are a number of reported issues with the patching where essentially the patch wasn’t successfully installed and are finding issues post install. In many cases the content databases are out of sync with the binaries. Microsoft is investigating these patching issues and may release an updated patch.
A few articles speak to this as a common occurrence and apparently surprised a few people:
There is a good string in the Newsgroups which goes into the detail of people troubleshooting this issue. I recommend everyone read through this string for troubleshooting detail and more awareness of what has been reported.
As with any SharePoint Patch you should never “just install” the patch. You should test it. It is not recommended on SharePoint Server to use Windows Update Automatic updates. For many reasons the databases will likely be in use and a high availability roll through the servers option could be used to deploy the patches.
For anyone who was affected in a negative way, they should first make sure that the install was successful. Check your logs. I expect most of the failures are due to binary install without databases being updated. As is stated in the newsgroups, the best way to force the patch to apply and update the schema to the databases is to run psconfig with the force parameter.
psconfig -cmd upgrade -inplace b2b -wait –force
That’s the recommended way, which is the equivalent of stsadm –o upgrade with the force option. Others @collabadam have reported that retracting and reinstalling manually has addressed the problem.
What people are missing is the fact that patches should never just “be installed” they have to be rolled out. A patch must be installed on each server in the farm, WSS ones first, then MOSS ones. (Yep that applies in this case!!) Then after they are both installed you can then run the psconfig command above. This will ensure the upgrade has fully completed. Note: You may have to reboot if any binaries are in use.
Since SharePoint is an app which essentially is cumulative it is important that patches are installed in the right order. The latest patches in this case should be installed after the latest service pack as a recommended practice.
If it was me and I wanted to ensure it was going to work right, I’d go with the path that Todd Carter recommends for minimizing downtime. (Assuming this is all tested and passed off as good. That is 1) detach your content databases 2) Install patches (WSS first then MOSS across all your servers starting with the central admin box first) 3) Run psconifg on just the central admin box 4) Reattach all your content databases
Essentially it’s basically like doing a database attach upgrade for the patch.
Did a security patch bust WSS 3.0?
Microsoft says it “is investigating new public claims of a possible installation issue involving MS10-039, a bulletin issued in the June update” and “will make further guidance available if necessary once our investigation is complete.”
Here’s my recommendation for this patch:
Hold off on patching if you haven’t on your intranets. I think that’s essentially the tough thing to say since the patch is listed as critical and at the same time may have a regression or bug. Having a DOS attack on an intranet is extremely unlikely. The workaround is to disable the help feature. Don’t do anything rash, follow your procedures for testing and keep in touch with Microsoft.
If you are set to auto update critical patches in any of your SharePoint environments, turn it OFF. You should NEVER have your SharePoint servers set to autoupdate for patching. You should be testing your patches and installing them methodically during a downtime window.
If you have already patched your servers you can either continue with forcing the databases to update with the psconfig –cmd upgrade –inplace b2b –wait –force command. This may take a while, be patient. Reinstalling SharePoint may work, but whatever you reinstall needs to be at a minimum at the version that was installed and applied to the databases. I caution against this since the problem isn’t with the binaries, the problem is in the inconsistency between the databases and the binaries. If the binaries are newer than the databases, they will be upgraded when attached, if the binaries are older then you get the can’t connect to config db error.
If you’re struggling through this, you may find these resources on WSS 3.0 and MOSS 2007 patching useful.
SharePoint TechNet patching resources:
Frequently Asked Questions:
1. Does this affect SharePoint 2010?
2. Why are my servers down?
You likely had auto update turned on and the patch was applied, but the patch wasn’t fully installed to update the schema version in the database.
3. I’m getting can’t connect to database what should I do?
If you’re in a single server farm, you should run the PSConfig wizard or simply at the command prompt run: psconfig –cmd –inplace b2b –wait –force
4. I haven’t installed this critical patch, what should I do?
Don’t install it yet, Microsoft is investigating it. Watch the security bulletins for update of an update of this patch. Bulletin: MS10-039
5. What is the issue in this critical patch?
See below for the info.
6. I’m reading about this and it looks serious why now?
This is actually if you can believe it one of the first critical patches. People who are surprised are those that have auto update turned on. Make sure all your SharePoint servers are not set to auto update.
7. How do I turn off Automatic Updates?
Go into the Control Panel, Double Click on Automatic Updates, and uncheck the box that says “keep my computer up to date…”
8. Why are you saying it’s a best practice NOT to use Automatic Updates for SharePoint?
Because SharePoint patching is tricky. Some patches may take HOURS to update, and patching in SharePoint 2007 causes your environment to be down without manual intervention.
9. Does this patching get any better in SharePoint 2010?
YES! The whole story gets better, that’s for another post, but I still DO NOT recommend Automatic updates. You want to be in control of patches.
10. If I have the MOSS patch do I need the WSS one?
Yes, in fact it should be install the WSS one first, then the MOSS one then psconfig. See the Technet articles for detailed instructions.
11. I’m a little freaked out about all this patching after reading the newsgroups and some of these articles…
Don’t be freaked out. The product team is aware of these issues and has made major investments in SharePoint 2010 to provide more control. Is patching complex in 2007? Yes, it’s a pain, so read up on those technet articles below. It will be one of the painful things you have to do in SharePoint 2007, but the service packs and cumulative updates are worth it. Just make sure you’ve got lots of test experience. Those that have done lots of patching don’t have issues. It’s about being methodical and knowing how to troubleshoot.
Here’s more info on the patch and vulnerabilities
Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (Replaces MS08-077 )
Microsoft Security Bulletin MS10-039: Published June 8
Full details on all the patches in June Black Tuesday (Patch Tuesday)
Common Vulnerabilities and Exposures Database references:
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 126.96.36.19921 and possibly earlier, and SharePoint Services 3.0 SP1 and SP2, versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter.
Cross-site scripting (XSS) vulnerability in the toStaticHTML API, as used in Microsoft Office InfoPath 2003 SP3, 2007 SP1, and 2007 SP2; Office SharePoint Server 2007 SP1 and SP2; SharePoint Services 3.0 SP1 and SP2; and Internet Explorer 8 allows remote attackers to inject arbitrary web script or HTML via vectors related to sanitization.
Unspecified vulnerability in Microsoft Windows SharePoint Services 3.0 SP1 and SP2 allows remote attackers to cause a denial of service (hang) via crafted requests to the Help page that cause repeated restarts of the application pool, aka “Sharepoint Help Page Denial of Service Vulnerability.”
More information on Symantec’s http://www.securityfocus.com/bid/40409
983444 (http://support.microsoft.com/kb/983444/ ) MS10-039: Description of the security update for Windows SharePoint Services 3.0: June 8, 2010
979445 (http://support.microsoft.com/kb/979445/ ) MS10-039: Description of the security update for Microsoft Office SharePoint Server 2007: June 8, 2010
Info from KB:
“This security update resolves one publicly disclosed and two privately reported vulnerabilities in Microsoft SharePoint. The most severe vulnerability could allow elevation of privilege if an attacker convinced a user of a targeted SharePoint site to click on a specially crafted link.
The security update is rated important for all supported versions of Microsoft SharePoint Services 3.0 and all supported editions of Microsoft Office InfoPath 2003, Microsoft Office InfoPath 2007, and Microsoft Office SharePoint Server 2007. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by modifying the way that Microsoft SharePoint validates input that is provided to an HTTP query, the way that toStaticHTML sanitizes HTML content in Microsoft SharePoint, and the way that Microsoft SharePoint handles specially crafted requests to the Help page. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 983438.
Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.
Known Issues. Microsoft Knowledge Base Article 2028554 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.”
For supported editions of Microsoft Office SharePoint Server 2007, in addition to security update package KB979445, customers also need to install the security update for Microsoft Windows SharePoint Services 3.0 (KB983444) to be protected from the vulnerabilities described in this bulletin.
How to obtain help and support for this security update
For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support website:
North American customers can also obtain instant access to unlimited no-charge email support or to unlimited individual chat support by visiting the following Microsoft website:
For enterprise customers, support for security updates is available through your usual support contacts
2 thoughts on “Security Bulletin MS10-039”
Great blog. Is the fix for MS10-039 included in the June 2010 WSS and June 2010 MOSS cumulative updates?
as we are offering our updates in a cumulative update cycle so our February Update already contains the fix mentioned in the security bulletin. Also the build number indicates the inclusion of the fix as the june CU 2010 is build 12.0.6539.5000 while the security fix is a lower build.