Microsoft Skype for Business Server and Lync Server Multiple Vulnerabilities

1. A cross-site scripting (XSS) vulnerability, which could result in information disclosure, exists when the jQuery engine in Skype for Business Server or in Lync Server fails to properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts in the user’s browser to obtain information from web sessions.

For this vulnerability to be exploited, a user must click a specially crafted URL.

In an email attack scenario, an attacker could exploit the vulnerability by sending an email message containing the specially crafted URL to the user and by convincing the user to click on the specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an instant messenger or email message that directs them to the affected website by way of a specially crafted URL.

Systems with affected editions of Skype for Business Server or Microsoft Lync Server installed and the clients that connect to them are at risk from this vulnerability. The update addresses the vulnerability by updating jQuery in Skype for Business Server and in Lync Server to correctly sanitize user input.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

2. A cross-site scripting (XSS) vulnerability, which could result in information disclosure, exists when Lync Server fail to properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts in the user’s browser to obtain information from web sessions.

For this vulnerability to be exploited, a user must click a specially crafted URL.

In an email attack scenario, an attacker could exploit the vulnerability by sending an email message containing the specially crafted URL to the user and by convincing the user to click on the specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an instant messenger or email message that directs them to the affected website by way of a specially crafted URL.

Systems with affected editions of Microsoft Lync Server installed and the clients that connect to them are at risk from this vulnerability. The update addresses the vulnerability by correcting how Lync Server sanitizes user input.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

3.  A cross-site scripting (XSS) vulnerability, which could result in elevation of privileges, exists when Skype for Business Server or Lync Server fails to properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could execute arbitrary code and take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

For this vulnerability to be exploited, a user must click a specially crafted URL.

In an email attack scenario, an attacker could exploit the vulnerability by sending an email message containing the specially crafted URL to the user and by convincing the user to click on the specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. An attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an instant messenger or email message that directs them to the affected website by way of a specially crafted URL.

Systems with affected editions of Skype for Business Server or Microsoft Lync Server installed and the clients that connect to them are at risk from this vulnerability. The update addresses the vulnerability by correcting how Lync Server sanitizes user input.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.