MS11-074: Vulnerabilities in Microsoft SharePoint could allow elevation of privilege: September 13, 2011

Article translations Article translations
Article ID: 2451858 - View products that this article applies to.
Expand all | Collapse all

On This Page

INTRODUCTION

Microsoft has released security bulletin MS11-074. To view the complete security bulletin, visit one of the following Microsoft Web sites:

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Known issues and additional information about this security update

The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information. If this is the case, the known issue is listed below each article link.
  • 2493987 MS11-074: Description of the security update for Windows SharePoint Services 3.0: September 13, 2011

    Known issues in security update 2493987:
    • Known issue 1

      Symptom
      If the SharePoint Products and Technologies Configuration Wizard does not finish its task, SharePoint may be left in an inconsistent state. You may be unable to browse the Central Administration or SharePoint site, and you receive one of the following error messages:

      Error message 1

      Server Error: http://go.microsoft.com/fwlink?LinkID=96177

      Error message 2

      HTTP 404 Not Found

      Error message 3

      Cannot connect to the configuration database

      Resolution

      For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:
      944267 How to troubleshoot common errors that occur when you run the SharePoint Products and Technologies Configuration Wizard on a computer that is running Windows SharePoint Services 3.0 or SharePoint Server 2007
    • Known issue 2

      Symptom

      Users are prompted for authentication when they try to browse a SharePoint site. Windows Server 2003 SP1 and Windows Server 2008 include a loopback check security feature that helps prevent reflection attacks on your computer. Therefore, authentication fails if the fully qualified domain name (FQDN) or the custom host header that you use does not match the local computer name.

      Workaround

      There are two methods to work around this issue. Use one of the following methods, as appropriate for your situation.

      Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
      322756 How to back up and restore the registry in Windows

      Method 1: Specify host names (the preferred method for NTLM authentication)

      To specify the host names that are mapped to the loopback address and can connect to websites on your computer, follow these steps:
      1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
        281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
      2. Click Start, click Run, type regedit, and then click OK.
      3. In Registry Editor, locate and then click the following registry key:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
      4. Right-click MSV1_0, point to New, and then click Multi-String Value.
      5. Type BackConnectionHostNames, and then press ENTER.
      6. Right-click BackConnectionHostNames, and then click Modify.
      7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
      8. Exit Registry Editor, and then restart the IISAdmin service.

      Method 2: Disable the loopback check (the less-recommended method)

      Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

      The second method is to disable the loopback check by setting the DisableLoopbackCheck registry entry.

      To set the DisableLoopbackCheck registry key, follow these steps:
      1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
        281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
      2. Click Start, click Run, type regedit, and then click OK.
      3. In Registry Editor, locate and then click the following registry key:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      4. Right-click Lsa, point to New, and then click DWORD Value.
      5. Type DisableLoopbackCheck, and then press ENTER.
      6. Right-click DisableLoopbackCheck, and then click Modify.
      7. In the Value data box, type 1, and then click OK.
      8. Exit Registry Editor, and then restart your computer.
      For more information, click the following article number to view the article in the Microsoft Knowledge Base:
      926642 Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"
    • Known issue 3

      After you install this security update on a Windows Small Business Server-based computer that is running Windows SharePoint Services 3.0, in some scenarios, the SharePoint Companyweb and Central Administration pages may not be available. For more information about this issue and about how to resolve the issue, visit the following Microsoft TechNet webpage:
      http://blogs.technet.com/b/sbs/archive/2010/06/18/companyweb-and-sharepoint-central-admin-not-accessible-after-installing-kb983444.aspx
    • Known issue 4

      This security update may appear multiple times in the Installed Updates list after you install it. This occurs because this update is applied to multiple Office applications.
  • 2494001 MS11-074: Description of the security update for Microsoft SharePoint Foundation 2010: September 13, 2011

    Known issues in security update 2494001:
    • The InfoPath browser forms that contain the Person/Group Picker fields that are bound to controls that reside on multiple views do not keep their values on when you switch views.

      To work around this issue, you can install the following August SharePoint Cumulative Update:
      2553031 Description of the SharePoint Foundation 2010 hotfix package (sts-x-none.msp): August 30, 2011
  • 2494007 MS11-074: Description of the security update for Windows SharePoint Services 2.0: September 13, 2011

    Known issues in security update 2494007:
    • After you install security update 2494007, some Data View Web Parts may stop rendering in a web browser. When the problem occurs, you may receive an error message that resembles the following:

      Unable to display this Web Part. To troubleshoot the problem, open this Web page in a Windows SharePoint Services-compatible HTML editor such as FrontPage. If the problem persists, contact your Web server administrator.


      For more information about this known issue, click the following article number to view the article in the Microsoft Knowledge Base:
      2623732 Security Update MS11-074 for WSS 2.0/SPS 2003 breaks Data View Web Part
  • 2494022 MS11-074: Description of the security update for Office SharePoint Server 2010 (osrchwfe): September 13, 2011
  • 2508964 MS11-074: Description of the security update for Microsoft Office SharePoint Server 2007 (coreserver.msp): September 13, 2011

    Known issues in security update 2508964:
    • Known issue 1

      Symptom
      If the SharePoint Products and Technologies Configuration Wizard does not finish its task, SharePoint may be left in an inconsistent state. You may be unable to browse the Central Administration or SharePoint site, and you may receive one of the following error messages:

      Error message 1

      Server Error: http://go.microsoft.com/fwlink?LinkID=96177

      Error message 2

      HTTP 404 Not Found

      Error message 3

      Cannot connect to the configuration database

      Resolution

      For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:
      944267 How to troubleshoot common errors that occur when you run the SharePoint Products and Technologies Configuration Wizard on a computer that is running Windows SharePoint Services 3.0 or SharePoint Server 2007
    • Known issue 2

      Symptom

      Users are prompted for authentication when they try to browse a SharePoint site. Windows Server 2003 SP1 and Windows Server 2008 include a loopback check security feature that helps prevent reflection attacks on your computer. Therefore, authentication fails if the fully qualified domain (FQDN) or the custom host header that you use does not match the local computer name.

      Workaround

      There are two methods to work around this issue. Use one of the following methods, as appropriate for your situation.

      Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
      322756 How to back up and restore the registry in Windows

      Method 1: Specify host names (the preferred method for NTLM authentication)

      To specify the host names that are mapped to the loopback address and can connect to websites on your computer, follow these steps:
      1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
        281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
      2. Click Start, click Run, type regedit, and then click OK.
      3. In Registry Editor, locate and then click the following registry key:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
      4. Right-click MSV1_0, point to New, and then click Multi-String Value.
      5. Type BackConnectionHostNames, and then press ENTER.
      6. Right-click BackConnectionHostNames, and then click Modify.
      7. In the Value data box, type the host name or the host names for the sites that are on the local computer, and then click OK.
      8. Exit Registry Editor, and then restart the IISAdmin service.

      Method 2: Disable the loopback check (the less-recommended method)

      Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

      The second method is to disable the loopback check by setting the DisableLoopbackCheck registry entry.

      To set the DisableLoopbackCheck registry key, follow these steps:
      1. Set the DisableStrictNameChecking registry entry to 1. For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
        281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name
      2. Click Start, click Run, type regedit, and then click OK.
      3. In Registry Editor, locate and then click the following registry key:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      4. Right-click Lsa, point to New, and then click DWORD Value.
      5. Type DisableLoopbackCheck, and then press ENTER.
      6. Right-click DisableLoopbackCheck, and then click Modify.
      7. In the Value data box, type 1, and then click OK.
      8. Exit Registry Editor, and then restart your computer.
      For more information, click the following article number to view the article in the Microsoft Knowledge Base:
      926642 Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"
    • Known issue 3

      After you install this security update on a Windows Small Business Server-based computer that is running Office SharePoint Server 2007, in some scenarios, the SharePoint Companyweb and Central Administration pages may not be available. For more information about this issue and about how to resolve the issue, visit the following Microsoft TechNet webpage:
      http://blogs.technet.com/b/sbs/archive/2010/06/18/companyweb-and-sharepoint-central-admin-not-accessible-after-installing-kb983444.aspx
    • Known issue 4

      This security update may appear multiple times in the Installed Updates list after you install it. This occurs because this update is applied to multiple Office applications.
  • 2508965 MS11-074: Description of the security update for Groove Server 2010 (ems.msp, emsmui.msp, grs.msp): September 13, 2011

    Known issues in security update 2508965:
    • Even if you have a successful installation, you may find that the entry for this security update is missing in Add or Remove Programs.

      To determine whether the update is already installed on the system, save the following Visual Basic script as "Groove_KB2508965_Check.vbs." Then, run it with administrative credentials. The script displays a dialog box that shows the detection results.
      Set msi = CreateObject("WindowsInstaller.Installer")

      sMspTargets = "{90140000-1106-0000-1000-0000000FF1CE};{90140000-1109-0000-1000-0000000FF1CE}"

      sResult = ""

      For Each prod in msi.Products

      If InStr(sMspTargets,prod) > 0 Then

      sPatchCode = "{6EA8F18D-803D-4CB7-AC71-F674B7500670}"

      If prod = "{90140000-1109-0000-1000-0000000FF1CE}" Then sPatchCode = "{ACF593FE-E06A-44AB-8872-A8C1BDDE93F5}"

      fMspInstalled = False

      Set Patches = msi.PatchesEx(prod,"",4,3)

      For Each msp in Patches

      If msp.PatchCode = sPatchCode Then

      sResult = sResult & msi.ProductInfo(prod,"ProductName") & ": The update is already installed on this system." & vbCrLf

      fMspInstalled = True

      Exit For

      End If

      Next

      If Not fMspInstalled Then sResult = sResult & msi.ProductInfo(prod,"ProductName") & ": The update is not installed on this system." & vbCrLf

      End If

      Next

      If sResult = "" Then sResult = "There are no products affected by this package on this system."MsgBox sResult,,"Security Update for Microsoft Groove Server 2010 (KB2508965)"2508965)"
  • 2552997 MS11-074: Description of the security update for Groove 2007 (groove.msp): September 13, 2011

    Known issues in security update 2552997:
    • The Groove security update does not appear up in Add or Remove Programs. The system administrator can determine whether the update is installed by opening the SharePoint Configuration Manager console.
  • 2552998 MS11-074: Description of the security update for Groove Server 2007 (ems.msp, emsmui.msp): September 13, 2011

    Known issues in security update 2552998:
    • The Groove security update does not appear up in Add or Remove Programs. The system administrator can determine whether the update is installed by opening the SharePoint Configuration Manager console.
  • 2552999 MS11-074: Description of the security update for Office Groove Server 2007 Data Bridge: September 13, 2011

    Known issues in security update 2552999:
    • The Groove security update does not appear up in Add or Remove Programs. The system administrator can determine whether the update is installed by opening the SharePoint Configuration Manager console.
    • You may receive the following message:
      After this update completes, run the SharePoint Products and Technologies Configuration Wizard to finalize the update.
      You receive this message in error, and the error condition does not apply.
  • 2553001 MS11-074: Description of the security update for Office SharePoint Server 2007: September 13, 2011
  • 2553002 MS11-074: Description of the security update for Office SharePoint Server 2007 for Search: September 13, 2011
  • 2553003 MS11-074: Description of the security update for Office SharePoint Server 2007 (dlc): September 13, 2011
  • 2553005 MS11-074: Description of the security update for Office Forms Server 2007 (ipfs.msp): September 13, 2011
  • 2560885 MS11-074: Description of the security update for SharePoint Server 2010 (osrv): September 13, 2011
  • 2560890 MS11-074: Description of the security update for SharePoint Server 2010 (pplwfe): September 13, 2011

    Known issues in security updatge 2560890:
    • After you install this security update, profile synchronization may stop functioning and you may find an error message that resembles the following in EventVwr:
      The server encountered an unexpected error and stopped.
      "BAIL: MMS(2532): storeimp.cpp(308): 0x80230443 (Service start up has failed. Cannot open the FIM Synchronization Service database because the database schema version in existing database does not match the required version.)
      Resolution

      You must restart the User Profile Synchronization Service for profile synchronization to work correctly.
      1. Open Central Administration.
      2. Click Manage Services on the System Settings section.
      3. Find User Profile Synchronization Service in the list of services and then click Stop if its status is Started. Click Start and provide the credentials to start the User Profile Synchronization Service.
  • 2566445 MS11-074: Description of the security update for SharePoint Workspace 2010: September 13, 2011
  • 2566449 MS11-074: Description of the security update for Microsoft Office 2010 Web Apps: September 13, 2011
  • 2566450 MS11-074: Description of the security update for Microsoft Word Online 2010: September 13, 2011
  • 2566456 MS11-074: Description of the security update for Microsoft SharePoint Server 2010: September 13, 2011
  • 2566954 MS11-074: Description of the security update for SharePoint Server 2010 (dlc): September 13, 2011
  • 2566958 MS11-074: Description of the security update for SharePoint Server 2010 (ppsmamui): September 13, 2011
  • 2566960 MS11-074: Description of the security update for SharePoint Server 2010 (wosrv): September 13, 2011

Properties

Article ID: 2451858 - Last Review: April 24, 2014 - Revision: 3.1
Applies to
  • Microsoft SharePoint Foundation 2010
  • Microsoft SharePoint Server 2010
  • Microsoft Windows SharePoint Services 3.0
  • Microsoft Windows SharePoint Services 2.0
  • Microsoft SharePoint Team Services
  • Microsoft Office SharePoint Server
  • Microsoft Office Groove 2007
  • Microsoft Office Groove Server 2007
  • Microsoft Office Groove Server 2007 Data Bridge
  • Microsoft Office Groove Server 2007 Manager
  • Microsoft Groove Server 2010
  • Microsoft Office SharePoint Server 2007
  • Microsoft Office SharePoint Server 2007 for Search (Enterprise Edition)
  • Microsoft Office SharePoint Server 2007 for Search (Standard Edition)
  • Microsoft Office Forms Server 2007
  • Microsoft Word Online
  • Microsoft PowerPoint Online
  • Microsoft Excel Online
  • Microsoft Office Excel Web Access
Keywords: 
kbexpertiseinter kbqfe kbsecurity kbsecbulletin kbsecvulnerability kbfix kbbug kbsurveynew KB2451858

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com