A vulnerability has been discovered in Microsoft Lync Server that could allow information disclosure. Microsoft Lync Server is an enterprise real-time communications server software, providing the infrastructure for enterprise instant messaging, VoIP, ad hoc and structured conferences (audio, video and web conferencing) and PSTN connectivity through a third-party gateway or SIP trunk. Successful exploitation of this vulnerability could result in an attacker obtaining information from a users web session if the user tries to join a Lync meeting by clicking a specially crafted meeting URL.'
- Microsoft Lync Server 2010 (Web Components Server)
- Microsoft Lync Server 2013 (Web Components Server)
Successful exploitation of this vulnerability could result in an attacker obtaining information if a user tries to join a Lync meeting by clicking a specially crafted meeting URL. The vulnerability is caused when Lync Server does not properly sanitize specially crafted content. An attacker who successfully exploits this vulnerability could potentially execute scripts in the users browser to obtain information from web sessions.'
- Update vulnerable Microsoft Lync products immediately after appropriate testing.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Remind users not to open email attachments or click on URLs from unknown or untrusted sources.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.