73 comments

[ 5.0 ms ] story [ 70.5 ms ] thread
(comment deleted)
Another day another vulnerability with Microsoft. I wonder if this will incentivize the countries to move faster with Linux.

Probably not since there are so many of these breaches people just ignore them.

I miss the old days when a breach involved someone breaking into the computer room and grabbing as many mag tapes as they can carry and run :)

> I wonder if this will incentivize the countries to move faster with Linux.

I hope so. We're seeing it now though. Germany, Norway.

Not saying there won't be CVEs when they move, but at least there's freedom and openness already available to switch to.

Wasn’t Microsoft just recently using Chinese people living in China to administer DOD servers? I would guess they use Sharepoint inside the DOD?
Says this in the article:

> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.

There is a DoD version of M365 which has SPO, but that isn't what the article is discussing.
Revert to the typewriters for security
Why didn't they just rewrite it in Rust?
At the risk of massive downvotes, I have to admit that a small part of me wants this so that maybe corporations stop using Sharepoint as soon as possible.

Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.

My company has SharePoint and another internal site for documents/notes (think about Notion/Quip/Confluence). The other site works quite well, and most developers write all their notes/docs on it. But some people just insist on uploading Word documents to SharePoint. So now everybody else has to use SharePoint as well, plus search twice whenever they need to find something.
And sharepoint in large organisations I have been at recently is now using oauth which breaks Microsoft's own sharepoint client API. That whole software is one massive waste of time and buget.
As a mid size company that does work with government agencies, it’s near impossible to use anything ‘better’ solution. Cybersecurity requirements are getting so onerous that Sharepoint is too commercially feasible of an option to use anything else for a shared file store between organizations.

The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.

* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.

At some point Microsoft tried to sell some automatic DRM system based on SharePoint to some company that I worked for.

The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.

Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.

We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.

>At the risk of massive downvotes,

The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)

It is instructive that we are seeing the results of DOGE's work:

"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."

Why isn't this under a branch of the military? Get lots of funding then. Protects national security
Wondering if this was a self goal to, you know, get people to use this enshittified product on the cloud?
It's not right to victim blame but it's also not wrong. Akin to investing lots of money in a stock. If you took the risks of maintaining a public SharePoint server in 2025, here's your very bad day.
> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.

It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.

Oh CISA...

What a pity that CISA has been purged down of effective useful people and turned into another sad selected-for-political-compliance-only force.

Arizona recently got attacked from Iranian hackers & didn't even bother trying to get help from CISA. https://archive.is/2025.07.19-143305/https://www.azcentral.c...

CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/

Best practice is to assume the network is compromised - a VPN doesn't provide as much guarantee as people would like. In large fleets, devices are regularly lost, damaged, retired, etc. In organizations with high target value, physical penetration through any number of means should be assumed.

So you don't do that. You use zero trust and don't care that things are exposed to the internet.

Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.

> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing.

Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.

Hosting internal services be they SharePoint or Exchange behind a [pre-auth] reverse proxy isn't that unusual.
The product was explicitly promoted as being useful to run public websites. Before cloud took off we had Microsoft sales people in our office announcing the death of Wordpress with the latest Sharepoint release. That position may be old, but plenty of orgs live in the past.
I would assume some orgs made it public facing for covid and it remained like that
That’s the whole thing with Azure; it blurs the line between on-prem and cloud “because you can.”

I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.

The answer is contractors and consultants. State agencies routinely work with third parties that need to be able to share files. Obviously this isn’t universal but it isn’t uncommon.
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.

It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.

This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.

I have spent far too much of my life on SharePoint. Having it internet facing has never been a good idea. Not really what it is meant for, though the promo verbiage on that has changed over different versions.

Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.

How did Principal Engineer Copilot not prevent this?!
I've heard many Pentagon employees claim that if someone wanted to take out the US military, all they'd have to do is kill Sharepoint.

It's the go-to warm-up joke whenever someone in the military gives a speech.

We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.

No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."

So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?

(comment deleted)
If I am ever on the board of a company, I will always vote no confidence in the dipshit CTO or founder that willingly install/mandate use of Microsoft junk in the company.

As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.

Am I surprised that sharepoint has vulnerabilities? Hell no.

[dead]
Why is the US even using Microsoft? They’re in effect an Indian company now
Meanwhile, Citrix has been on fire causing much worse things (you can just grab any session you want and become anyone who's already logged in). Who needs to break into SharePoint when you're becoming someone who's already got access... including to everything else (not just SharePoint)

It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.