SharePoint Vulnerability and Hotfix Recommendations

SharePoint has been pretty luck over the years to avoid the focus of hackers and those looking to create exploits.

About a month ago a vulnerability was reported for SharePoint relating to a possible exploit of a 0day elevation of priviledges via a DOS attack to help.  The workaround at the time was to disable the help feature in SharePoint.

V1.0 (April 29, 2010): Advisory published.

V2.0 (June 8, 2010): Advisory updated to reflect publication of security bulletin.

<update (June 22, 2010)>The SharePoint Team has responded with a blog titled “Installing KB938444” tracking a small number of customers who have the issue after installing the patch via windows update.  The small business server folks also have a post about Central Admin not being accessible after installing KB938444.  They also have some suggestions for troubleshooting the patching as it relates to SharePoint patches in general which I recommend reading.</update>

Microsoft responded by Microsoft Security Advisory (983438) and have issued MS10-039 to address this issue. Creating a patch that was flagged as critical.  Those which had their SharePoint servers set to auto update were surprised when they came in to find their SharePoint servers were down, or reporting can’t connect to config database.

There apparently are a number of reported issues with the patching where essentially the patch wasn’t successfully installed and are finding issues post install.  In many cases the content databases are out of sync with the binaries.  Microsoft is investigating these patching issues and may release an updated patch.

A few articles speak to this as a common occurrence and apparently surprised a few people:

• SharePoint Servers Fail After Microsoft Patch
• June ‘Black Tuesday’ patch causes SharePoint Woes

There is a good string in the Newsgroups which goes into the detail of people troubleshooting this issue.  I recommend everyone read through this string for troubleshooting detail and more awareness of what has been reported.

• Unable to Connect to Config Db after: KB983444

As with any SharePoint Patch you should never “just install” the patch.  You should test it.  It is not recommended on SharePoint Server to use Windows Update Automatic updates.  For many reasons the databases will likely be in use and a high availability roll through the servers option could be used to deploy the patches.

For anyone who was affected in a negative way, they should first make sure that the install was successful.  Check your logs.  I expect most of the failures are due to binary install without databases being updated.  As is stated in the newsgroups, the best way to force the patch to apply and update the schema to the databases is to run psconfig with the force parameter.

psconfig -cmd upgrade -inplace b2b -wait –force

That’s the recommended way, which is the equivalent of stsadm –o upgrade with the force option.  Others @collabadam have reported that retracting and reinstalling manually has addressed the problem.

What people are missing is the fact that patches should never just “be installed” they have to be rolled out.  A patch must be installed on each server in the farm, WSS ones first, then MOSS ones. (Yep that applies in this case!!)  Then after they are both installed you can then run the psconfig command above.  This will ensure the upgrade has fully completed.  Note: You may have to reboot if any binaries are in use.

Since SharePoint is an app which essentially is cumulative it is important that patches are installed in the right order.  The latest patches in this case should be installed after the latest service pack as a recommended practice.

If it was me and I wanted to ensure it was going to work right, I’d go with the path that Todd Carter recommends for minimizing downtime.  (Assuming this is all tested and passed off as good.  That is 1) detach your content databases 2) Install patches (WSS first then MOSS across all your servers starting with the central admin box first) 3) Run psconifg on just the central admin box 4) Reattach all your content databases

Essentially it’s basically like doing a database attach upgrade for the patch.

Did a security patch bust WSS 3.0?

Microsoft says it "is investigating new public claims of a possible installation issue involving MS10-039, a bulletin issued in the June update" and "will make further guidance available if necessary once our investigation is complete."

Here’s my recommendation for this patch:

Hold off on patching if you haven’t on your intranets.  I think that’s essentially the tough thing to say since the patch is listed as critical and at the same time may have a regression or bug.  Having a DOS attack on an intranet is extremely unlikely.  The workaround is to disable the help feature.  Don’t do anything rash, follow your procedures for testing and keep in touch with Microsoft.

If you are set to auto update critical patches in any of your SharePoint environments, turn it OFF.  You should NEVER have your SharePoint servers set to autoupdate for patching. You should be testing your patches and installing them methodically during a downtime window.

If you have already patched your servers you can either continue with forcing the databases to update with the psconfig –cmd upgrade –inplace b2b –wait –force command. This may take a while, be patient.  Reinstalling SharePoint may work, but whatever you reinstall needs to be at a minimum at the version that was installed and applied to the databases. I caution against this since the problem isn’t with the binaries, the problem is in the inconsistency between the databases and the binaries.  If the binaries are newer than the databases, they will be upgraded when attached, if the binaries are older then you get the can’t connect to config db error.

If you’re struggling through this, you may find these resources on WSS 3.0 and MOSS 2007 patching useful.

• Todd Carter’s Zero Downtime SharePoint Patching Myth

SharePoint TechNet patching resources:

• Updates Resource Center for SharePoint Products and Technologies
• Understanding and deploying hotfixes, public updates, and service packs (WSS)
• Deploying software updates for Windows SharePoint Services 3.0
• Understanding and deploying hotfixes, public updates, and service packs (MOSS)
• Deploying software updates for SharePoint Server 2007

Frequently Asked Questions:

1. Does this affect SharePoint 2010?

No

2. Why are my servers down?

You likely had auto update turned on and the patch was applied, but the patch wasn’t fully installed to update the schema version in the database.

3. I’m getting can’t connect to database what should I do?

If you’re in a single server farm, you should run the PSConfig wizard or simply at the command prompt run: psconfig –cmd –inplace b2b –wait –force

This will force the patch to install.  Note: You may need to reboot

If this issue persists contact support, they are available for free for patching issues. See “Help and Support” below.

4. I haven’t installed this critical patch, what should I do?

Don’t install it yet, Microsoft is investigating it.  Watch the security bulletins for update of an update of this patch. Bulletin: MS10-039

5. What is the issue in this critical patch?

See below for the info.

6. I’m reading about this and it looks serious why now?

This is actually if you can believe it one of the first critical patches.  People who are surprised are those that have auto update turned on.  Make sure all your SharePoint servers are not set to auto update.

7. How do I turn off Automatic Updates?

Go into the Control Panel, Double Click on Automatic Updates, and uncheck the box that says "keep my computer up to date…"

8. Why are you saying it’s a best practice NOT to use Automatic Updates for SharePoint?

Because SharePoint patching is tricky. Some patches may take HOURS to update, and patching in SharePoint 2007 causes your environment to be down without manual intervention.

9. Does this patching get any better in SharePoint 2010?

YES! The whole story gets better, that’s for another post, but I still DO NOT recommend Automatic updates.  You want to be in control of patches.

10. If I have the MOSS patch do I need the WSS one? 

Yes, in fact it should be install the WSS one first, then the MOSS one then psconfig. See the Technet articles for detailed instructions.

11. I’m a little freaked out about all this patching after reading the newsgroups and some of these articles…

Don’t be freaked out.  The product team is aware of these issues and has made major investments in SharePoint 2010 to provide more control.  Is patching complex in 2007?  Yes, it’s a pain, so read up on those technet articles below.  It will be one of the painful things you have to do in SharePoint 2007, but the service packs and cumulative updates are worth it.  Just make sure you’ve got lots of test experience.  Those that have done lots of patching don’t have issues.  It’s about being methodical and knowing how to troubleshoot.

 

Here’s more info on the patch and vulnerabilities

Description

Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (Replaces MS08-077 )

Microsoft Security Bulletin MS10-039: Published June 8

Full details on all the patches in June Black Tuesday (Patch Tuesday)

Credit:
Chris Weber of Casaba Security

Common Vulnerabilities and Exposures Database references:

US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

CVE-2010-0817

Cross-site scripting (XSS) vulnerability in _layouts/help.aspx in Microsoft SharePoint Server 2007 12.0.0.6421 and possibly earlier, and SharePoint Services 3.0 SP1 and SP2, versions, allows remote attackers to inject arbitrary web script or HTML via the cid0 parameter.

CVE-2010-1257

Cross-site scripting (XSS) vulnerability in the toStaticHTML API, as used in Microsoft Office InfoPath 2003 SP3, 2007 SP1, and 2007 SP2; Office SharePoint Server 2007 SP1 and SP2; SharePoint Services 3.0 SP1 and SP2; and Internet Explorer 8 allows remote attackers to inject arbitrary web script or HTML via vectors related to sanitization.

CVE-2010-1264

Unspecified vulnerability in Microsoft Windows SharePoint Services 3.0 SP1 and SP2 allows remote attackers to cause a denial of service (hang) via crafted requests to the Help page that cause repeated restarts of the application pool, aka "Sharepoint Help Page Denial of Service Vulnerability."

More information on Symantec’s http://www.securityfocus.com/bid/40409

 

http://www.microsoft.com/technet/security/bulletin/ms10-039.mspx

983444 (http://support.microsoft.com/kb/983444/ ) MS10-039: Description of the security update for Windows SharePoint Services 3.0: June 8, 2010

979445 (http://support.microsoft.com/kb/979445/ ) MS10-039: Description of the security update for Microsoft Office SharePoint Server 2007: June 8, 2010

Info from KB:

Executive Summary

“This security update resolves one publicly disclosed and two privately reported vulnerabilities in Microsoft SharePoint. The most severe vulnerability could allow elevation of privilege if an attacker convinced a user of a targeted SharePoint site to click on a specially crafted link.

The security update is rated important for all supported versions of Microsoft SharePoint Services 3.0 and all supported editions of Microsoft Office InfoPath 2003, Microsoft Office InfoPath 2007, and Microsoft Office SharePoint Server 2007. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by modifying the way that Microsoft SharePoint validates input that is provided to an HTTP query, the way that toStaticHTML sanitizes HTML content in Microsoft SharePoint, and the way that Microsoft SharePoint handles specially crafted requests to the Help page. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This security update also addresses the vulnerability first described in Microsoft Security Advisory 983438.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. Microsoft Knowledge Base Article 2028554 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.”

APPLIES TO

• Microsoft Office SharePoint Portal Server 2003 Service Pack 3
• Microsoft Office SharePoint Server 2007
• Microsoft Office SharePoint Server 2007 for Internet Sites
• Microsoft Office SharePoint Server 2007 for Search (Enterprise Edition)
• Microsoft Office SharePoint Server 2007 for Search (Standard Edition)
• Microsoft Windows SharePoint Services 2.0
• Microsoft Office InfoPath 2007
• Microsoft Office InfoPath 2003

Not affected

• SharePoint 2010
• WSS 2.0
• SPS 2003 SP3
• SPS 2001 SP3

^[1]For supported editions of Microsoft Office SharePoint Server 2007, in addition to security update package KB979445, customers also need to install the security update for Microsoft Windows SharePoint Services 3.0 (KB983444) to be protected from the vulnerabilities described in this bulletin.

How to obtain help and support for this security update

For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support website:

http://support.microsoft.com/common/international.aspx?rdpath=4 (http://support.microsoft.com/common/international.aspx?rdpath=4)

North American customers can also obtain instant access to unlimited no-charge email support or to unlimited individual chat support by visiting the following Microsoft website:

http://support.microsoft.com/oas/default.aspx?&prid=7552 (http://support.microsoft.com/oas/default.aspx?&prid=7552)

For enterprise customers, support for security updates is available through your usual support contacts.