June Security Hotfix for WSS V3 and MOSS 2007


I just want to make you aware that a new security update for SharePoint (WSSv3 / MOSS2007) got released:

Microsoft Security Bulletin MS10-039 – Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2028554)
See also KB979445  -> MS10-039: Description of the security update for Microsoft Office SharePoint Server 2007: June 8, 2010

Update:
In case you have installed Feb 2010 CU for WSS V3 you should be safe. We are offering our updates in a cumulative update cycle so our February Update already contains the fix mentioned in the security bulletin. Unfortunately not all SharePoint environments worldwide are updated regularly so just a reminder to think about an update.

Second Update:
We updated the KB Article KB979445 to give you more insights when a problem happens.

For more troubleshooting we updated also the KB article:
944267          How to troubleshoot common errors that occur when you run  the SharePoint Products and Technologies Configuration Wizard on a computer that is running Windows SharePoint Services 3.0 or SharePoint Server 2007.

Comments (11)

  1. Brian says:

    Does this security update, also fixes other issues apart from this vulenrabilities?

    Because in KB article, there are lot of sharepoint core files being modified. This security patch looks like 2009 December CU?

  2. Rick says:

    Sure would be nice to get a heads-up about the timetable for Service Pack 3, which is the "cumulative update" that we've been waiting for. For example, if it won't even make it this year, we'll just bite the bullet and do June CU, since there have simply been too many fixes since Service Pack 2 to wait any longer.

  3. Joerg_Sinemus says:

    The security update we are talking about has been created before February 2010 CU and after December 2009 CU. Such security updates are heavily (time consuming) tested because these are installed through Windows Update. In case you are regularly update YOUR SharePoint environment with cumulative updates YOU are safe. Talking about SP3 here is not needed because it will contain all fixes included in the last CU and maybe only a bit more. I am sure there will be more information in the future.

  4. bluey says:

    I've understood that the general recommendation is to only install SharePoint CUs _if_ they fix specific problems you have? And that service packs are recommended for everyone. Are those still the official recommendations?

  5. Joerg_Sinemus says:

    Service Packs are a kind of "Must Have". With our support experience also the CU's are very important and we are talking about Cumulative ones so that means the newest update contains all the earlier ones. It depends on your own experience how you can and want to update your servers. Some environments are big and will need a lot of tests before implement the CU into production. Others are smaller and rely also on automatic updates. Our security hotfix we are mentioning here is much more tested and is also a "Must Have" because security is important. Saying that and thinking about what I should install on my SharePoint environment… why not install April 2010 CU?

    More about CU's and Service Packs you can find on the blogs from SharePoint Product Group and CAPES.

  6. meena says:

    Should this be installed like any other CU? I mean do we need to ran PSCONFIG after this patch installation?

  7. Brian says:

    Meena: Yes,Psconfig needs to be run

    Joerg : Since this update is being created b4 Feb 2010 CU and after December 209 CU.  So, Does this security update contains all issues fixed in Dec 2009 CU or only the security Patch?

  8. Rick says:

    It comes as quite a surprise that Psconfig (or Wizard, I suppose) needs to be run, since there's no mention of it in the security bulletin or the download page (I originally thought this was a Windows Update, but it appears that it isn't).

    Perhaps the instruction comes at the end of the install.

    I did find this interesting statement in the bulletin, however: "There are no more service packs planned for this software. The update for this issue may be included in a future update rollup."

    I guess that answers the service pack question. Odd.

  9. vijay says:

    We are getting the following error after this patch –

    Server error: go.microsoft.com/fwlink

    Any Idea?

  10. Rick says:

    That link doesn't lead anywhere in particular, but this is the error that people seem to be getting. Maybe something there will help you.

    social.technet.microsoft.com/…/c054514a-4c1d-47d5-a2bc-d8c3c7a6870d

    social.technet.microsoft.com/…/78d0aa2b-ac22-4811-a553-6567463ab4c1

  11. Joerg_Sinemus says:

    Many Thanks for all the comments and Links. I can only recommend to install February 2010 CU or April CU and in a couple of days June CU. Those CU's are really complete especially when you have language packs installed. The "Full Server Package" contains everything from global fix until language specific fixes. Last but not least you have to run PSCONFIG after you installed the binaries.