Advisory hints at SharePoint patch on Tuesday

A Sharepoint vulnerability flagged almost two months ago could be fixed by Microsoft in patches released tomorrow.

The cross-scripting vulnerability affects SharePoint Services 3.0 and Server 2007 and could be exploited if a user clicks on a malicious link, which would allow an attacker to access the system.

The exploit was first flagged with Microsoft on April 12 by an independent security organisation, which announced it publicly on April 29.

Microsoft would not confirm whether a patch would be released for the project on Tuesday 8 June, as part of its regular patch cycle.

However, as part of an advance notification for patches to be released on June 8, it has listed an "important security" update for the SharePoint products, Services 3.0 and Server 2007.

Microsoft chief security advisor Stuart Strathdee said Microsoft had already provided support to customers on the SharePoint vulnerability .

"An advisory was issued on April 29 2010, and provides customers with information to mitigate the impact, should this be required," Strathdee said.

The software developer also did not reveal how many international and Australian customers were affected, or the severity of any breaches.

Microsoft is expected to release the patch this week, according to web applications security company Imperva's regional sales director Kane Lightowler. Two months was a relatively quick turnaround time to patch the vulnerability, he said.

"At this stage it's reasonably quick considering what we've seen from Microsoft in the past," Lightowler said.

"However, organisations are at the mercy of Microsoft patch cycle and their capability to release the patch."