It happens often: SharePoint users are disabling the suite’s authentication mode to make it easier to access/share documents. Unwittingly, this opened a Pandora’s Box of security problems with outside attackers.
As such, Microsoft’s released a recent patch to address 10 critical areas within the SharePoint software.
At issue, was the capability of hackers to use “remote code execution on the collaboration server.” The patch resolved a cross-site scripting problem(CVE-2013-1330), allowing penetration by granting privileges via the W3WP server account.
Moreover, the ‘bug’ itself requires authentication, offering a Catch-22 of sorts: Disabling the authentication can open up a range of security issues “without user interaction.”
Furthermore, Microsoft issued a patch to not only clear up a denial of service (DDOS) problem with SharePoint, but also to resolve a memory corruption problem.
Would-be attackers, before the patch, could actually bring down a SharePoint server if it had been running without any authentication.
The security update addresses the vulnerabilities by enabling machine authentication check (MAC) according to best practices, correcting how SharePoint Server sanitizes requests, correcting how SharePoint Server verifies and handles undefined workflows, and correcting how Microsoft Office Services and Web Apps parse specially crafted files.
Acceptability of the ‘App Model’
When it comes to assessing the viability of SharePoint’s App Model, there appears to be ongoing questions about “full-trust solutions” against the suite’s server/object model. By default, the latter condition embraces acceptance of custom code on the SharePoint servers.
More importantly, those full-trust solutions may not be absolutely ready for the cloud. According to CMS Wire, the ‘solutions’ are simply not practical when your addressing multi-tenant “implementations.”