'Tens of Thousands' of SharePoint Servers at Risk. Microsoft Issues No Patch (msn.com) 80
"Anybody who's got a hosted SharePoint server has got a problem," the senior VP of cybersecurity firm CrowdStrike told the Washington Post. "It's a significant vulnerability."
And it's led to a new "global attack on government agencies and businesses" in the last few days, according to the article, "breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers..."
"Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond." (Microsoft says they are "working on" security updates "for supported versions of SharePoint 2019 and SharePoint 2016," offering various mitigation suggestions, and CISA has released their own recommendations.)
From the Washington Post's article Sunday: Microsoft has suggested that users make modifications to SharePoint server programs or simply unplug them from the internet to stanch the breach. Microsoft issued an alert to customers but declined to comment further... "We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available," said Pete Renals, a senior manager with Palo Alto Networks' Unit 42. "We have identified dozens of compromised organizations spanning both commercial and government sectors.''
With access to these servers, which often connect to Outlook email, Teams and other core services, a breach can lead to theft of sensitive data as well as password harvesting, Netherlands-based research company Eye Security noted. What's also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched. "So pushing out a patch on Monday or Tuesday doesn't help anybody who's been compromised in the past 72 hours," said one researcher, who spoke on the condition of anonymity because a federal investigation is ongoing.
The breaches occurred after Microsoft fixed a security flaw this month. The attackers realized they could use a similar vulnerability, according to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. CISA spokeswoman Marci McCarthy said the agency was alerted to the issue Friday by a cyber research firm and immediately contacted Microsoft... The nonprofit Center for Internet Security, which staffs an information-sharing group for state and local governments, notified about 100 organizations that they were vulnerable and potentially compromised, said Randy Rose, the organization's vice president. Those warned included public schools and universities. Others that were breached included a government agency in Spain, a local agency in Albuquerque and a university in Brazil, security researchers said.
But there's many more breaches, according to the article:
And it's led to a new "global attack on government agencies and businesses" in the last few days, according to the article, "breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers..."
"Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond." (Microsoft says they are "working on" security updates "for supported versions of SharePoint 2019 and SharePoint 2016," offering various mitigation suggestions, and CISA has released their own recommendations.)
From the Washington Post's article Sunday: Microsoft has suggested that users make modifications to SharePoint server programs or simply unplug them from the internet to stanch the breach. Microsoft issued an alert to customers but declined to comment further... "We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available," said Pete Renals, a senior manager with Palo Alto Networks' Unit 42. "We have identified dozens of compromised organizations spanning both commercial and government sectors.''
With access to these servers, which often connect to Outlook email, Teams and other core services, a breach can lead to theft of sensitive data as well as password harvesting, Netherlands-based research company Eye Security noted. What's also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched. "So pushing out a patch on Monday or Tuesday doesn't help anybody who's been compromised in the past 72 hours," said one researcher, who spoke on the condition of anonymity because a federal investigation is ongoing.
The breaches occurred after Microsoft fixed a security flaw this month. The attackers realized they could use a similar vulnerability, according to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. CISA spokeswoman Marci McCarthy said the agency was alerted to the issue Friday by a cyber research firm and immediately contacted Microsoft... The nonprofit Center for Internet Security, which staffs an information-sharing group for state and local governments, notified about 100 organizations that they were vulnerable and potentially compromised, said Randy Rose, the organization's vice president. Those warned included public schools and universities. Others that were breached included a government agency in Spain, a local agency in Albuquerque and a university in Brazil, security researchers said.
But there's many more breaches, according to the article:
- "Eye Security said it has tracked more than 50 breaches, including at an energy company in a large state and several European government agencies."
- "At least two U.S. federal agencies have seen their servers breached, according to researchers."
- "One state official in the eastern U.S. said the attackers had 'hijacked' a repository of documents provided to the public to help residents understand how their government works. The agency involved can no longer access the material..."
"It was not immediately clear who is behind the hacking of global reach or what its ultimate goal is. One private research company found the hackers targeting servers in China..."
Just stop (Score:4, Insightful)
Stop using toy operating systems for doing corporate work. If someone wants to put up a personal blog or a cute kittens website, I suppose this stuff will do. Other than that, don't.
Re: (Score:2)
Re:Just stop (Score:4, Insightful)
Re: (Score:3)
They're pivoting to video, err, AI (Score:2)
AI is the future. Ignore the previous failures. AI is the future.
Re: (Score:3)
Wut? (Score:2)
almost as interesting as the invention of a microcomputer
lolwut?
One is suddenly making available to the regular person at home a tool to do computations (despite a lot less complex and powerful) that was previously available only to universities, government and corporations,
while the other is money extraction scheme designed to keep hopes of growth and confidence in stocks of a few big corporations who are in a race of "who is going to build the largest possible datacenter / boil lakes the fastest / and completely break the internet with AI slop?"
To keep with you
Re: Just stop (Score:2)
I think about 10 years ago, there was a theory that people could own their own information
That was changed in the 1996 Telecommunications Act, I believe. So, about 30 years ago.
Funny thing: This applies to telecommunications companies. So if you find some outfit hoarding data, you can be certain that their intent is to place themselves under the authority of the FCC.
EULA (Score:4, Insightful)
If they could get your soul, they would.
You haven't been paying attention to the 143 pages of legalese in the EULA, have you?
(In a time-line where Disney would try to lawyer out of a allergy death on the grounds of the arbitration clause of a trial subscription to a steaming service couple of years before, I am only half joking)
Re: (Score:2)
There are obscure options and files you can add to the installation image that give you choice back. I just tried to install Win11 pro over Win11 home (fresh install, wipe everything) and that only worked after I added some file to the install disk. Before the installer just checks the serial stored on that machine and gives you no choice. Really unprofessional.
Win11 is much more difficult to figure out than Linux ever was. Fortunately, there is web-search. Unfortunately, I think I cannot quite do without W
Re: (Score:2)
Linux was never very difficult to figure out. For you maybe.
Re: (Score:2)
0) to answer the predictable objections to searching out obscure options and install your next OS as you want, if you already know you want to partition your storage to your preference, you should have looked into this before you started installing.
1) Ditto for wanting to install a second bootable OS. Or have the option later.
2) Linux was never intended to be 'easy to use', merely rational and understandable. Until Systemd. Then the 'easy to use' turned into 'not a lot like Linux used to be'. Be careful wh
Re: (Score:2)
2) Linux was never intended to be 'easy to use', merely rational and understandable. Until Systemd. Then the 'easy to use' turned into 'not a lot like Linux used to be'. Be careful what you ask for.
I do not run Systemd. So far I avoided 2 (!) rather serious security issues because of that and probably quite a few smaller issues. And all my installations run just fine.
Re: (Score:2)
You need to learn the difference between a relative and an absolute comparison. If you are smart enough to understand it.
VM (Score:2)
Unfortunately, I think I cannot quite do without Windows at this time.
There's always the option of going Linux for your main OS and using VirtualBox for the 1 or 2 small things that still require Windows.
(Spoken from personal experience a decade ago or so. By now my universities' office 365 can run in Firefox (container) tabs, ProtonDB on my SteamDeck is stellar, I don't own any electronic gizmo that requires a Windows app to sync/updateetc.(*), and I don't care enough about anything else to dust off that VM)
(*): By now electronic gizmos either have Wifi to update themselves
Re: (Score:2)
Unfortunately that "small thing" is MS Teams. That one is unreliable even when run natively with Windows on the metal. And my experience with A/V on Vbox is not the best.
Re: (Score:2)
Unfortunately that "small thing" is MS Teams.
I'm surprised this is the example you're using. MS Teams seems to run perfectly fine (as good as elsewhere) in the browser (Chrome, Firefox, etc..) on Linux, audio and video as well. You don't even need a VM for that.
Surely there are other widely used programs that don't run native on Linux and suffer from poor performance, or other issues, when run under a VM?
Re: (Score:2)
Teams was rewritten not long ago; perhaps sometime last year?
Before that it was very wonky on our corporate Win10 laptops
Re: (Score:2)
And that is what I will try next. I do need full screen, application sharing and good audio though.
Re: (Score:2)
Unfortunately, I think I cannot quite do without Windows at this time.
I have a corporate customer for whom I install Linux and VirtualBox on the bare metal, then install Windows in VirtualBox. It works great.
Re: (Score:2)
What about Teams for video-conferencing? That is currently the one thing holding me back. I tried Audio/Video stuff on VBox in the past with not so good results.
Re: (Score:2)
Re: (Score:2)
The unsupported version? Sorry, but that is not an option.
Re: (Score:2)
I just tried to install Win11 pro over Win11 home (fresh install, wipe everything) and that only worked after I added some file to the install disk.
To get Pro from a Home install you just need to give Windows the Pro key. The system will do a few things and reboot, after which you should have Win11 Pro.
Re: (Score:3)
In the past I could change the hard drive partition
You still can. The option isn't just presented in a big list of tools in the control panel. Ironically for your complaint Disk Management and the way it is done is one of the very few things that *hasn't* changed in over a decade. In fact a few years ago they made it easier since you can now open disk management by right clicking on the start button and clicking disk management (which is strange because I'm surprised Microsoft would elevate such a rarely used MMC snapin to such a prominent and easy to acces
Re: (Score:2)
They're too busy renegotiating their parking space, or choosing a colour for their business cards to think about security or redundancy or risk management.
The sales rep with the shiny new Beemer told them that everything would be fine, so they just signed a cheque and went back to the board with a glowing quarter report.
Anyone who uses Sharepoint is getting exactly what they deserve. And the
Re: (Score:3)
In this case the OS is the problem.
Re: (Score:2)
Indeed. These fuckups are a fossil from the times that software did not have to be secure. And they never adapted and probably cannot adapt. Remember that security is, at this time, still their "highest priority", which means this crap is really the best they can do. And it does not cut it.
Although quite a few people use a real OS and real server software for their personal stuff.
Re: (Score:2)
These fuckups are a fossil from the times that software did not have to be secure.
When did that change?
Re: (Score:3)
When the Internet became widespread. Or before users hat accounts on regular computers, take your pick.
Re: (Score:3)
Re: (Score:2)
Damn, I thought just shouting zero trust harder and would keep hackers away.
Re: (Score:2)
Re: (Score:2)
Why? No serious, give me some numbers. Show me how the GDP or profits would change as a result of using a different system. That's all we care about. You arbitrarily label one thing a "toy" and I say "well our competitor who is making $10bn / month is using that toy so clearly it's not a toy".
To be clear this isn't an argument for or against any system. It is an argument that you and other Linux proponents will never win simply by childishly slagging off the competition, especially since that competition is
Re: (Score:2)
Do go on playing with your toy for ever and ever, and one day they will bronze you and hang you up on the wall like baby shoes.
Re: (Score:2)
I don't play with "toys". I work with them. I would love nothing more than to work with Linux instead like I do on my home computer. But in order to do that we need serious adults to make serious arguments for adopting Linux rather than schoolyard name calling. Quite frankly the Linux world (especially here on Slashdot) is self defeating in its childishness. No one will take Linux seriously until Linux proponents can be taken seriously, and you're not helping in that regard.
So yes, the toy makes the world a
Re: (Score:2)
Do you really think this is an operating system problem (unless you want to call Azure an OS)? It is an application built upon the OS not the OS itself. SharePoint is the target because there are just so many users of it and they are putting high value data in it (along with a lot of junk... as the funny comment below said). Any other program that achieved that level of value would also be a target.
This type of thing would happen even if it were Linux (or any other "non-toy" OS). There is always some bug in
Microsoft Cheese (Score:5, Funny)
Microsoft cheese is like a cross between American cheese and Swiss cheese. Microsoft cheese is not too hard and full of holes, like swiss cheese, at the same time Microsoft cheese is mostly fake and tastes awful, like American cheese.
Re: (Score:1)
Re:Microsoft Cheese (Score:5, Funny)
Re: (Score:2)
Americans don't know cheese. How would I know? Just look at the cheese we made, its not even cheese its 'cheese product'. I threw up in my mouth a bit just saying it.
Looks like any of these fit the description:
https://duckduckgo.com/?q=swis... [duckduckgo.com]
So, you tell me is there one of these relatively soft, holey, swiss cheeses that stinks too? That'd be the one.
Re: (Score:2)
Gourmet Food World - American Cheese [gourmetfoodworld.com]
Re: (Score:3)
Re: (Score:2)
"There's something really nasty about the smell of this, I can't describe it."
That pretty much says it all. You don't want to know how the Microsoft cheese is made.
Fun video.
Re: (Score:2)
Re: (Score:1)
In idiomatic American English, "Swiss cheese" is something like Emmentaler, almost always with holes: https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Emmental it would appear. Trick question?
Driving companies off legacy products (Score:2)
Shifting companies off of sharepoint and onto whatever newer cloud based Microsoft products is a win for Microsoft.
Re: (Score:2)
Sharepoint in the cloud, yeah. Something tells me they patch that one.
I don't see the problem (Score:5, Funny)
The product is called SharePoint, right? And what's happening is your files are being shared with everybody in the world. So what's with all the whining?
It's right there in the name!
Re: (Score:2)
It's being split into two versions: HackPoint and LeakPoint.
Re: (Score:2)
I posted mine too late and didn't see your comment. Yeah, it's obvious, isn't it? lol
I would not be surprised if... (Score:2)
Re: (Score:2)
Me neither.
However, would that type of information stored on Sharepoint servers not also be a data "goldmine" for AI dataset harvesters? So now you do not need to shield yourself from hackers and ransomware groups, but AI "harvesters" as well? Probably even more so, now that those can relentlessly attack and learn without stopping, under the guise of "but China...".
Just as there was/is a need for software that severely limits the rate of login attempts, there is now also a need for similar software to block
Re: (Score:2)
Re: (Score:2)
Right now there are a bunch of Microsoft junior devs in the "vibe coding" department of the Sharepoint division arguing about what prompts they need to get the AI to fix the bug it introduced.
Kid1: "See! With my prompt, it says it's fixed the bug, and produces tests to prove it"
Kid2: "Yes, but the security researchers say the problem still exists"
Kid1: "But... the AI says its fixed - we should ship this"
Bad news first (Score:5, Funny)
The bad news: Hackers have gained access to thousands of SharePoint servers.
The good news: It will be of no use to them, because just like the befuddled employees who are stuck using SharePoint, the hackers won't be able to find any relevant information in the byzantine hierarchy of pseudo folders packed with stale artifacts.
Re: (Score:2)
Sharepoint is a piece of crap. Many groups in our org turned to email to "publish" internal info instead of use Sharepoint. Now our in-boxes are full of distracting crap. We had a self-rolled intranet CMS before Sharepoint, and it was fairly decent, but instead of improving it, they threw it out and replaced it with Sharepoint, which everybody hated.
Re: (Score:2)
if users are browsing folders, the system isnt customized enough.
sharepoint can be incredibly effective provided someone basically redesigns it.
JFC (Score:3)
Burn it down. At this point it's the only option against Microsoft.
Considering how much these people are being overpaid and the number of bugs which appear on a near daily basis, at some point you have to tear it down and start fresh.
Re: (Score:2)
Microsoft doesn't overpay it's people. It only fires people nowadays.
What Microsoft does do too much of, overestimating the quality of their CoPilot products.
Re: (Score:2)
This is also the only option because there are strong indicators they have piled up to much technological debt that their stuff cannot be fixed anymore. Or make any real progress.
Time to hand out fines (Score:2)
If MS sells software and support to government agencies, they should be on the hook if or when their software creates critical vulnerabilities in infrastructure. Especially if they don't have a patch immediately!
Re:Time to hand out fines (Score:5, Informative)
To be fair, it sounds as if they haven't figured out a decent patch. I mean when they're recommend that users make the systems safe by unplugging them, it doesn't sound like they've got a better idea.
Re: (Score:3)
Time to hand out Awards! (Score:2)
To be fair, it sounds as if they haven't figured out a decent patch. I mean when they're recommend that users make the systems safe by unplugging them, it doesn't sound like they've got a better idea.
Or, perhaps they’ve suggested the most amazing incredible bulletproof patch fix to ever exist for Microsoft products! I mean, an unplugged Sharepoint server? Talk about secure!
Why, I’d dare suggest the only thing safer would be if it were behind a closet door. With a lock, and a sign hanging that reads “Don’t Feed The Frameworks”.
/s
We trust CrowdStrike now? (Score:3)
Well, on this thing, probably, but after their last disaster they have to be counted as the dumbest fucks you can find in IT security.
Re: (Score:2)
There's over 10000 people working at crowdstrike, and you are judging all of them based on what ultimately was the result of a handful of them. Man can you imagine if we judged Slashdot based on just your posts? Half of us would fall on our swords out of the sense of shame.
What does this company do again? (Score:4, Funny)
Deserialization of untrusted data :o (Score:3)
The way I see it... (Score:2)
It is called "SharePoint" after all, not "SelfishPoint", right?
Patches are out now (Score:3)
The KB5002754 update for Microsoft SharePoint Server 2019.
The KB5002768 update for Microsoft SharePoint Subscription Edition.
The update for Microsoft SharePoint Enterprise Server 2016 has not been released yet.
A more detailed explanation: (Score:4, Interesting)
The vulnerability is related to this:
https://www.zerodayinitiative.... [zerodayinitiative.com]
"As you can see, the steps for parsing content at processing time are very similar to the parsing steps at verification time. However, there is a critical one-line difference:
text4 = HttpUtility.HtmlDecode(text4);
At processing time, attribute values are HTML-decoded by the parser, but there is no corresponding line at verification time. This means that if we have an ASPX tag with an attribute such as runat="erver", the EditingPageParser.VerifyControlOnSafeList() function will not consider it a server-side control and will not check it for safety. At processing time, however, it will be recognized and executed as a server-side control."
And the story today ...
https://research.eye.security/... [research.eye.security]