Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Microsoft Lync vulnerabilities could allow remote code execution


Report ID: MS201206004
Date Published: 13 June 2012

Criticality: Important
Compromise Type: remote-code-execution information-disclosure
Compromise From: remote


Affected Product/Component:

Microsoft Communicator 2007 R2
Microsoft Lync 2010
Microsoft Lync 2010 Attendee
Microsoft Lync 2012 Attendant




Summary

Four vulnerabilities were reported found in Microsoft Lync, three of which could lead to remote code execution while the other one could lead to information disclosure.



Detailed Description

Microsoft has issued a security update for Microsoft Lync to address four reported vulnerabilities. Three of those were remote code execution vulnerabilities, and were caused by incorrect handling of TrueType Font (TTF) and insecure loading of external libraries. Upon successful exploit, an attacker could execute arbitrary code and take control of an affected system.

The other one was an information disclosure vulnerability, which was caused by the way SafeHTML sanitizes HTML. Upon successful exploit, an attacker could perform cross-site scripting attacks and run scripts on behalf of the user.

These issues have all been addressed through the update which introduces several crucial modifications. Users are recommended to install the update as a protection against potential exploit attempts.



CVE Reference

CVE-2012-3402, CVE-2012-0159, CVE-2012-1849, CVE-2012-1858



Solution

Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-039)



Security Advisories

For a list of known vulnerabilities affecting F-Secure products and the released fixes, please refer to the Security Advisories page.