KLA10693 Information disclosure vulnerability in Microsoft Lync & Skype for Business

An improper information sanitization was found in Microsoft Lync and Skype for Business. By exploiting this vulnerability malicious users can execute arbitrary code or obtain sensitive information. This vulnerability can be exploited remotely via a specially designed message.

Technical details

This vulnerability can be triggered via specially designed JavaScript content in message. It can be used to execute arbitrary HTML & JS content in vulnerable application context, open webpage via default browser or potentially trigger URIs, defined by other applications.

Original advisories

CVE-2015-6061

Related products

Microsoft-Lync

CVE list

CVE-2015-6061 warning

KB list

3108096

3085634

3105872

3101496

3096738

3096736

3096735

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• SUI

Spoof user interface. Exploitation of vulnerabilities with this impact can lead to changes in user interface to beguile user into inaccurate behavior.

Affected Products

• Microsoft Skype for Business 2016Microsoft Lync 2013 Service Pack 1Microsoft Lync 2010Microsoft Lync 2010 AttendeeMicrosoft Lync Room System