Vulnerability in Microsoft Lync Server Could Allow Information Disclosure

ITS Advisory Number: 
2014-054
Date(s) Issued: 
Tuesday, June 10, 2014
Subject: 
Vulnerability in Microsoft Lync Server Could Allow Information Disclosure
Overview: 

A vulnerability has been discovered in Microsoft Lync Server that could allow information disclosure. Microsoft Lync Server is an enterprise real-time communications server software, providing the infrastructure for enterprise instant messaging, VoIP, ad hoc and structured conferences (audio, video and web conferencing) and PSTN connectivity through a third-party gateway or SIP trunk. Successful exploitation of this vulnerability could result in an attacker obtaining information from a users web session if the user tries to join a Lync meeting by clicking a specially crafted meeting URL.

'
Systems Affected: 
  • Microsoft Lync Server 2010 (Web Components Server)
  • Microsoft Lync Server 2013 (Web Components Server)
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Successful exploitation of this vulnerability could result in an attacker obtaining information if a user tries to join a Lync meeting by clicking a specially crafted meeting URL. The vulnerability is caused when Lync Server does not properly sanitize specially crafted content. An attacker who successfully exploits this vulnerability could potentially execute scripts in the users browser to obtain information from web sessions.

'
Actions: 
  • Update vulnerable Microsoft Lync products immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Remind users not to open email attachments or click on URLs from unknown or untrusted sources.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
References: 
Microsoft:
https://technet.microsoft.com/en-us/library/security/ms14-032.aspx
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1823