September Security Bulletin (MS11-074) and SharePoint 2010 Issues

Article
09/19/2011

Updated 9/28/2011. Added “Other Issues” section.

Summary

On September 13, 2011, Microsoft released security bulletin MS11-074 - Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege. The security bulletin had a security rating of Important. Packages released as part of the security bulletin have been targeted at various different Office client and server products. As such, both Microsoft Office SharePoint Server 2007 and Microsoft SharePoint Server 2010 products have also been affected by the security updates. Please review the security bulletin for detailed information about the products and files that have been affected by the packages. Since the security bulletin has a security rating of Important, it is expected that Windows Server Update Services may automatically download the packages on the servers that have the service enabled. As with all SharePoint updates, the SharePoint Products and Technologies configuration wizard must be executed to ensure that the SharePoint farm is not left in an inconsistent state. For more information, please review Known issues and additional information about this security update

SharePoint 2010 Issues

A significant number of critical issues have been reported over the past few days for SharePoint 2010. Installation of the security updates on SharePoint 2010 servers pushed by WSUS could cause the following issues to occur, resulting in a full or partial outage of SharePoint services in the environment. Both issues are related to missing dependencies.

Issue #1- Users unable to browse Publishing sites

This issue affects the ability of users to browse to and use SharePoint Publishing sites. When browsing to the site, users may experience the following error:

“An Unexpected error has occurred”

Following error is reported in the ULS logs or on the SharePoint page if the “CallStack” attribute of set to “true” in the web.config file:

Method not found: 'Void Microsoft.Office.Server.WebControls.AudienceLoader.GetAudiencesFetchedDuringPageRequest(System.Collections.Generic.Dictionary`2<System.Guid,Boolean> ByRef, System.Collections.Generic.Dictionary`2<System.String,Boolean> ByRef, System.Collections.Generic.Dictionary`2<System.String,Boolean> ByRef)'.

Issue #2- Unable to Manage User Profile Service Application

Administrators may get the following error when navigating to the user profile service application management page from central administration:

System.IO.FileNotFoundException: Could not load file or assembly 'Microsoft.ResourceManagement, Version=4.0.2450.34, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified. at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager.InitializeIlmClient(String ILMMachineName, Int32 FIMWebClientTimeOut) at Microsoft.Office.Server.UserProfiles.UserProfileConfigManager..ctor(UserProfileApplicationProxy userProfileApplicationProxy, Guid partitionID) at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.ProfileAdminPage.IsProfileSynchronizationRunning()

Root Cause

The problem has been caused due to inconsistent assembly versions on the SharePoint servers after the installation of the package KB2560890. Multiple packages were released as part of the security bulletin that affect SharePoint 2010 and all applicable packages must be installed on SharePoint servers to ensure that version inconsistencies are not created in the environment. However, it has been observed that only KB2560890 was pushed to servers via WSUS, resulting in the SharePoint assemblies being in an inconsistent state and creating dependency issues:

Following is a list of packages that are released as part of the security bulletin and must be installed (where applicable) to avoid inconsistency issues (taken from https://technet.microsoft.com/en-us/security/bulletin/ms11-074 ):

Resolution

In order to resolve the issues identified above, please install all applicable updates described in the security bulletin MS11-074 to your SharePoint servers. Once all updates have been installed, please run SharePoint Products and Technologies Configuration Wizard to complete the upgrade process.

Note: Installing Service Pack 1 and August Cumulative Update 2011 also addresses the dependency problems, however, it is highly recommended that all security updated outlined in the security bulletin are deployed to ensure that the SharePoint environment is consistent and secure.

Other Issues (Added 9/28/2011)

I have added this section as I have observed an additional issue related to the September Security updates for SharePoint 2010. I’ll update this section with updated information as it becomes available.

1. Unable to create a new User Profile Service Application

You receive the following error when you create a new user profile service application:

System.MissingMethodException: Method not found: 'Microsoft.SharePoint.Administration.SPIdentifierType Microsoft.SharePoint.Administration.SPAce`1.get_BinaryIdType()'. at Microsoft.Office.Server.Administration.SPAclFormatter.Serialize[TRights](XmlWriter xmlWriter, SPAcl`1 acl) at Microsoft.Office.Server.Administration.SPAclFormatter.Serialize[TRights](SPAcl`1 acl) at Microsoft.Office.Server.Administration.UserProfileApplication.SerializeUserAcl(Guid partitionID, SPAcl`1 acl) at Microsoft.Office.Server.Administration.UserProfileApplication.Synchronize() at Microsoft.Office.Server.Administration.UserProfileApplication.Install() at Microsoft.Office.Server.Administration.UserProfileApplication.Provision() at Microsoft.SharePoint.Portal.UserProfiles.AdminUI.NewProfile...

If you receive the above error even after installing all the security updates, you will need to install the August 2011 Cumulative update to resolve this issue. Please visit the SharePoint 2010 Update Center to obtain the update. This issue may occur if your farm was at the August 2010 Cumulative Update build (14.0.5123.5000) or lower before the security updates were applied.

September Security Bulletin (MS11-074) and SharePoint 2010 Issues

Additional resources