Microsoft Lync vulnerabilities could allow remote code execution
Report ID: MS201206004
Date Published: 13 June 2012
Criticality: Important
Compromise Type: remote-code-execution information-disclosure
Compromise From: remote
Affected Product/Component:
Microsoft Communicator 2007 R2
Microsoft Lync 2010
Microsoft Lync 2010 Attendee
Microsoft Lync 2012 Attendant
Summary
Four vulnerabilities were reported found in Microsoft Lync, three of which could lead to remote code execution while the other one could lead to information disclosure.
Detailed Description
Microsoft has issued a security update for Microsoft Lync to address four reported vulnerabilities. Three of those were remote code execution vulnerabilities, and were caused by incorrect handling of TrueType Font (TTF) and insecure loading of external libraries. Upon successful exploit, an attacker could execute arbitrary code and take control of an affected system.
The other one was an information disclosure vulnerability, which was caused by the way SafeHTML sanitizes HTML. Upon successful exploit, an attacker could perform cross-site scripting attacks and run scripts on behalf of the user.
These issues have all been addressed through the update which introduces several crucial modifications. Users are recommended to install the update as a protection against potential exploit attempts.
CVE Reference
CVE-2012-3402, CVE-2012-0159, CVE-2012-1849, CVE-2012-1858
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-039)
