Microsoft announced today that next week’s batch of security updates will patch critical holes in its Outlook email clients and SharePoint collaboration servers, both of which can pose a threat because of the way they’re often used, even without additional security flaws or exploits.
Critical flaws in Outlook, SharePoint and Windows Server 2003 pose threats to corporate networks and datacenters that are just as dangerous, if only by serving as doorways for attackers trying to use them to access more secure parts of a business network.
There are four security patches rated as “critical” among the 14 updates due to ship Sept. 10, covering flaws in Microsoft Windows, SharePoint, Office and Internet Explorer.
Microsoft hasn’t disclosed details about the vulnerabilities, except to say they might allow remote code execution on a server or PC without the knowledge or approval of the user.
In all, four of the 14 security bulletins cover “critical” flaws, affecting Internet Explorer, Microsoft Office Outlook 2007 and 2010, Windows XP, Windows Server 2003, SharePoint Server 2007, 2010 and 2013 and Office Web Apps 2010.
One of the “critical” patches is designed to repair holes in Internet Explorer – which gets a lot of attention because of its ubiquity and the volume of exploits designed to attack it.
Critical flaws in Outlook and SharePoint pose a much greater risk to corporate networks and datacenters, according to Wolfgang Kandek, CTO of security vendor Qualys, as quoted in security developer Kaspersky Labs’ Threatpost news service.
SharePoint servers are a good target for attacks because they can be more easily discovered on corporate networks than end-user applications and because compromising a SharePoint server puts all the users connecting to it at risk, Kandek said.
There are a total of 17 vulnerabilities in SharePoint on the patch list, in versions going all the way back to SharePoint Portal Server 2003, according to ThreatPost, which presents a long list of targets for attackers to exploit, he added.
Having critical flaws that would allow attackers to run unauthorized code on SharePoint Servers is certainly a security risk. Whether it’s a bigger risk than the behavior of authorized users, however, appears to be a tossup.
In a survey released Aug. 12, security firm Cryptozone found that 40 percent of SharePoint users regularly access information or other resources to which they shouldn’t have access, including salary data, details of mergers and acquisitions, protected intellectual property and corporate performance data that could be used for insider trading.
More than half of SharePoint users admitted sending documents secure on a SharePoint server to someone without the right permissions to access the server.
Seventy-six percent acknowledged that sending documents to unauthorized users made the data more vulnerable, but that didn’t stop them. A third told pollsters the risk didn’t bother them if it helped get the job done, while 28 percent said they weren’t concerned because data security wasn’t part of their job.
A higher volume of sensitive data likely flows through Exchange mailboxes of corporate end users, and the Outlook clients on their desktops.
To rate as “critical,” the problems with Outlook 2007 and Outlook 2010 would have to allow attackers to get access to Outlook without any interaction from the user, access usually managed by exploiting weaknesses in Outlook’s preview pane, according to. as quoted in Computerworld.
Flaws in Outlook, almost ubiquitous as the email client for Microsoft Exchange, are considered critical because of Outlook’s huge installed base, the volume of often-sensitive corporate information sent unsecured through email systems and the level of control an attacker can achieve immediately by piggybacking on Outlook’s preview pane as it opens mail automatically.
They’re also good for exploits based on phishing attacks and poisoned Office documents, according to Threatpost.
Image: Shutterstock.com/ Zastolskiy Victor