Microsoft releases an out-of-band security update to address information-disclosure vulnerability in SharePoint Server

To exploit the SharePoint flaw, an attacker would need to send a specially crafted request to a vulnerable SharePoint Server instance

Microsoft has released an out-of-band security update to fix a vulnerability in SharePoint Server, which could enable attackers to steal sensitive information from a vulnerable system.

The vulnerability, indexed as CVE-2019-1491, affects SharePoint Server 2019, SharePoint Enterprise Server 2016, SharePoint Foundation 2013 SP1, and SharePoint Foundation 2010 SP2.

In order to exploit the flaw, an attacker would need to first send a specially crafted request to a vulnerable SharePoint Server instance. Successful exploitation of the bug then enables hackers to read arbitrary files on the server.

Moreover, the information collected from the compromised system could further allow hackers to mount additional attacks.

"The update addresses the vulnerability by changing how affected APIs process requests," Microsoft said in an advisory published on Tuesday.

The Preview Pane in SharePoint is not an attack vector, the software giant revealed.

The bug was discovered by Saif ElSherei, a member of Microsoft Research Centre's Vulnerabilities and Mitigations Team.

Earlier this month, Microsoft released December's Patch Tuesday security update, addressing 36 vulnerabilities across a range of products. Seven of those vulnerabilities were rated as "Critical," while 28 were "Important" and one was of moderate severity.

The critical vulnerabilities included a zero-day in the Windows OS, which according to Microsoft, has been exploited in the wild. Indexed as CVE-2019-1458, this vulnerability could allow an attacker to run arbitrary code in kernel mode, enabling them to install programmes; view/modify/delete data; or create new user accounts with administrative rights on compromised system.

December update also addressed two other critical bugs, tracked as CVE-2019-1468 and CVE-2019-1471.

CVE-2019-1468 is a remote code execution (RCE) bug existing in the Win32k component.

CVE-2019-1471 is another RCE bug present in the Windows Hyper-V virtualisation toolkit, which could allow a user on a guest OS to run arbitrary code on the underlying host OS.

In addition to Windows, other products that received fixes from Microsoft in December include Microsoft Office, Internet Explorer, Skype for Business, Visual Studio, SQL Server, and Web Apps.