MS15-047: Description of the security update for SharePoint Server 2013: May 12, 2015


Summary



This security update resolves vulnerabilities in Microsoft Office server and productivity software. The vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account on the target SharePoint site.


The security update addresses the vulnerabilities by correcting how SharePoint Server sanitizes specially crafted page content. For more information about the vulnerabilities, see the "More Information" section.

Improvements and fixes

This security update contains the following improvement:
  • Improves performance when you crawl SharePoint Server 2013 sites that have independent security scopes. Only the security scope of the sites and the permissions in the security scope should be retrieved.

This security update also contains fixes for the following nonsecurity issues:
  • When you crawl external content (Internet websites), it is impossible to pass a username and password for proxy authentication.
  • Updates the URL of the SharePoint store to make sure that SharePoint can connect to the store successfully. The SharePoint store is used to browse and acquire SharePoint apps from the office.com marketplace.
  • When you try to add or update an item in a list that has an indexed Version column on a SharePoint Server 2013 site, you receive the following error. This error indicates that indicates that the URL is invalid:
    The URL 'document' is invalid. It may refer to a nonexistent file or folder, or refer to a valid file or folder that is not in the current Web.

    This issue occurs after you upgrade the site from SharePoint Server 2010 to SharePoint Server 2013.
  • When you search for some items in a SharePoint Server 2013 list, the Count total does not show 0 if no result is returned.
  • Health Analyzer displays the following error message in SharePoint Server 2013:
    Missing server side dependencies.
  • When you create a page for a page library in SharePoint Server 2013, you are not redirected back to the page library and are not notified that the page is created.
  • When you use the keyboard and press Enter on the Show more columns link in the Filter section while you are creating or editing a view in SharePoint Server 2013, the added section is not focused.
  • Assume that you have a SharePoint Server 2013 site that displays list data by using a LINQ query. When two users try to go to the site at the same time, the site page may be displayed incorrectly.

Introduction


Microsoft has released security bulletin MS15-047. To learn more about this security bulletin:

How to obtain help and support for this security update

Help installing updates:
Support for Microsoft Update

Security solutions for IT professionals:
TechNet Security Troubleshooting and Support

Help protect your Windows-based computer from viruses and malware:
Virus Solution and Security Center

Local support according to your country:
International Support

More Information


Note After you install this security update on all SharePoint servers, you have to run the PSconfig tool to complete the installation process. For more information about how to use the PSconfig tool, go to the following Microsoft TechNet webpage:

Restart information

You may have to restart the computer after you install this security update.

In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, a message is displayed that advises you to restart the computer.

To help reduce the possibility that a restart will be required, stop all affected services and close all applications that may use the affected files before you install this security update.

See Why you may be prompted to restart your computer after you install a security update on a Windows-based computer for more information.

Removal information

You cannot uninstall this security update.

Security update replacement information

This security update replaces security update 2956175 .

FILE INFORMATION


The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.