Описание
Skype for Business Remote Code Execution Vulnerability
A remote code execution vulnerability exists when Skype for Business and Microsoft Lync Servers fail to properly sanitize specially crafted content.
An authenticated attacker who successfully exploited this vulnerability could execute HTML and JavaScript content in the Skype for Business or Lync context. An attacker could use this vulnerability to open a web page using the default browser, open another messaging session with someone else, or potentially trigger other URIs defined on the client’s system for another application.
To exploit this vulnerability an attacker could invite a user to an instant message session and then send a message that contains specially crafted JavaScript content. The update addresses the vulnerability by correcting how Skype for Business and Lync Servers sanitize content.
FAQ
This security update is for the Click-to-Run (C2R) version only. For more information and the current Click-to-Run version number, see Office 365 client update channel releases.
I am being offered this update for software that is not specifically indicated as being affected in the Affected Products table. Why am I being offered this update? When updates address vulnerable code that exists in a component that is shared between multiple Microsoft Office products or shared between multiple versions of the same Microsoft Office product, the update is considered to be applicable to all supported products and versions that contain the vulnerable component.
For example, when an update applies to Microsoft Office 2007 products, only Microsoft Office 2007 may be specifically listed in the Affected Products table. However, the update could apply to Microsoft Word 2007, Microsoft Excel 2007, Microsoft Visio 2007, Microsoft Compatibility Pack, Microsoft Excel Viewer, or any other Microsoft Office 2007 product that is not specifically listed in the Affected Products table. Furthermore, when an update applies to Microsoft Office 2010 products, only Microsoft Office 2010 may be specifically listed in the Affected Products table. However, the update could apply to Microsoft Word 2010, Microsoft Excel 2010, Microsoft Visio 2010, Microsoft Visio Viewer, or any other Microsoft Office 2010 product that is not specifically listed in the Affected Products table.
For more information on this behavior and recommended actions, see Microsoft Knowledge Base Article 830335. For a list of Microsoft Office products that an update may apply to, refer to the Microsoft Knowledge Base Article associated with the specific update.
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
A remote code execution vulnerability exists in Skype for Business when the software fails to sanitize specially crafted content, aka "Skype for Business Remote Code Execution Vulnerability".
A remote code execution vulnerability exists in Skype for Business when the software fails to sanitize specially crafted content, aka "Skype for Business Remote Code Execution Vulnerability".
Уязвимость пакета программ Microsoft Office и программы мгновенного обмена сообщениями Skype for Business, позволяющая нарушителю выполнить произвольный код
EPSS