MS15-036: Description of the security update for SharePoint Server 2013: April 14, 2015

Applies to: SharePoint Server 2013Microsoft SharePoint Server 2013 Service Pack 1

Introduction


This security update resolves elevation of privilege vulnerabilities that exist when Microsoft SharePoint Server incorrectly sanitizes a specially crafted request to an affected SharePoint Server. An authenticated attacker could exploit these vulnerabilities by sending a specially crafted request to an affected SharePoint Server. The attacker who successfully exploited these vulnerabilities could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions on the SharePoint site on behalf of the victim, such as change permissions, delete content, and insert malicious content in the victim’s browser.

Improvements and fixes

This update also contains fixes for the following nonsecurity issues:
  • When you try to manage the workflow setting for a SharePoint Server 2013 library for which you have appropriate permissions, you receive the following error message:
    Sorry, this site hasn't been shared with you.
  • When you copy a page that contains a Summary Links web part to another SharePoint Server 2013 subsite by using the Content and Structure feature, you receive the following error message:
    List does not exist.
  • When you set a language pack that uses different decimal marks for a server that is running SharePoint Server 2013, numeric and currency fields of a document set are displayed incorrectly.

    Note To resolve this issue for existing document sets after you apply this update, you have to go to the home page of existing document sets, click Edit Properties, and then click Save.
  • When you use the slide with bar graph refiner in the refinement panel of search results, you receive the following error message:
    Property doesn't exist or is used in a manner inconsistent with schema settings.
    This issue occurs if the refiner interval is a value that is more than ten million.
  • When you move a file between documents libraries of a SharePoint Server 2013 site that has the Continuous Crawls function enabled, you may receive an incorrect search result for the file.

  • Assume that you create an item that contains multiline text in a rich-text field in a SharePoint Server 2013 list. When you try to search the item in the list, no result is returned. This issue occurs because the multiline text is combined to one term.
  • When you add a Task List web part to a webpage on a SharePoint Server 2013 site, the webpage is displayed as blank, and you cannot click any ribbon items.
  • When you try to upload a file as an attachment to SharePoint Server 2013 by using Safari, the upload process freezes, or you receive the following error message:
    Request body stream exhausted.
  • When you update a file such as an image for a SharePoint Server 2013 site, the file is not updated accordingly in the blob cache of Web Front End (WFE) servers.
  • You cannot run search analytics in SharePoint Server 2013, and some amount disk space is consumed because of some invalid data.

  • Translates some terms in SharePoint Server 2013 Newsfeed (for example, the Like link) for Dutch to make sure that the meaning is accurate.
  • Translates some terms in the Compliance Details page of documents in SharePoint Server 2013 for Dutch to make sure that the meaning is accurate.
  • When you run an incremental crawl for a Microsoft Exchange Server 2010 public folder in a SharePoint Server 2013 environment, you cannot search the items in the public folder, and the items are deleted from the index.
  • Translates some terms in the Web Part Properties page in SharePoint Server 2013 for Dutch to make sure the meaning is accurate.
  • Translates some terms in the Web Part Properties page in SharePoint Server 2013 for Dutch to make sure the meaning is accurate.
  • Improves the Portuguese Brazilian proofing tool by adding the latest Portuguese Brazilian grammar to Office 2013 applications.
  • Assume that you type a page name, such as "Text with spaces," in the New item form in a site page library in SharePoint Server 2013 to create a new page. After you create the page, the automatically generated URL is inconsistent with the preview URL. For example, the preview URL may be displayed in a label as follows:

    Find it at : <%SitepagesUrl%>/Text with spaces.aspx

    However, the generated URL may be displayed as <%SitepagesUrl%>/Text-with-spaces.aspx. 

Summary


Microsoft has released security bulletin MS15-036. Learn more about how to obtain the fixes that are included in this security bulletin:

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security support and troubleshooting

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International support

More information about this security update

After you install this security update on all Microsoft SharePoint Servers and SharePoint services, you have to run the PSconfig tool to complete the installation. 

Download information

This update is available for download from the Microsoft Download Center.

Prerequisites to install this security update

To install this security update, you must have Service Pack 1 for SharePoint Server 2013 installed on the computer.

Restart information

You may have to restart the computer after you install this security update.

In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message is displayed that advises you to restart the computer.

To help reduce the possibility that a restart will be required, stop all affected services and close all applications that may use the affected files before you install this security update.

Learn about why you may be prompted to restart your computer after you install a security update on a Windows-based computer.

Removal information

This security update cannot be removed.

Security update replacement information

This security update replaces update 2956153.

File information

For a list of the files that are provided in this update 2965219, see the following: