Recently Microsoft Security Bulletin MS14-022 has been released as Critical. It covers following products:
- Sharepoint Server 2007, 2010, 2013
- WSS 3.0
- Sharepoint Foundation 2010 / 2013
- Office Web Apps Server 2010 / 2013
- Sharepoint Designer 2010 / 2013
Risk: High
Discovered: 05/13/2014
The security update addresses the vulnerabilities by correcting how SharePoint Server and Web Applications sanitize specially crafted page content.
Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2952166)
MS Knowledge Base Article
MS14-022: Vulnerabilities in Microsoft SharePoint Server could allow remote code execution: May 13, 2014
Vulnerabilities Summary:
# |
Vulnerability |
CVE |
Mitigating Factors |
1 |
To exploit any of these related vulnerabilities, an attacker must be able to authenticate on the target SharePoint site. Note that this is not a mitigating factor if the SharePoint site is configured to allow anonymous users to access the site. By default, anonymous access is not enabled. |
||
2 |
CVE-2014-1754 |
Microsoft has not identified any mitigating factors for this vulnerability. |
|
3 |
To exploit this vulnerability, an attacker must be able to authenticate on the target SharePoint site. Note that this is not a mitigating factor if the SharePoint site is configured to allow anonymous users to access the site. By default, anonymous access is not enabled. |
It is good to review the SANS Internet Storm Center for the criticality of these updates
https://isc.sans.edu/
https://isc.sans.edu/
SANS Internet Storm Center – May 2014 Patch Tuesday
Search on the Security Focus site
Recommendation
Run all software with less-privileged user with minimal access rights.