Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning WebDAV client service.
After applying this workaround it is still possible for remote attackers who successfully exploit this vulnerability to cause the system to run programs located on the targeted user's computer or the Local Area Network LAN , but users will be prompted for confirmation before opening arbitrary programs from the Internet.
Impact of workaround. In addition, any services that explicitly depend on the Web Client service will not start, and an error message will be logged in the System log. For example, WebDAV shares will be inaccessible from the client computer. These ports are used to initiate a connection with the affected component. Blocking TCP ports and at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability.
Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:. How to undo the workaround. Unblock TCP ports and at the firewall.
The vulnerability is caused when Microsoft Lync incorrectly restricts the path used for loading external libraries. An attacker who successfully exploited this vulnerability could run arbitrary code as the current user.
If the current user is logged-on with administrative user rights, an attacker could take complete control of the affected system. An attacker could convince a user to open a legitimate Microsoft Lync related file such as an. Then, while opening the legitimate file, Microsoft Lync could attempt to load the DLL file and execute any code it contained.
In an email attack scenario, an attacker could exploit the vulnerability by sending a legitimate Microsoft Lync-related file such as an. Systems where Microsoft Lync is used, including workstations and terminal servers, are primarily at risk.
The update addresses this vulnerability by correcting how Microsoft Lync loads external libraries. Is this vulnerability related to Microsoft Security Advisory ? Yes, this vulnerability is related to the class of vulnerabilities, described in Microsoft Security Advisory , that affects how applications load external libraries.
An information disclosure vulnerability exists in the way that HTML is filtered that could allow an attacker to perform cross-site scripting attacks and run script in the security context of the current user.
This is an information disclosure vulnerability. An attacker who successfully exploited the vulnerability could perform cross-site scripting attacks against Lync or Microsoft Communicator users. An attacker could then potentially run script on behalf of a victim user. To exploit this vulnerability, an attacker must have the ability to submit a specially crafted script to a Lync or Microsoft Communicator chat window.
Because of the vulnerability, in specific situations the specially crafted script is not properly sanitized, which subsequently could lead to an attacker-supplied script being run in the security context of a user who views the malicious content.
For cross-site scripting attacks, this vulnerability requires that a user receives a specially crafted chat message for any malicious action to occur. Systems where Lync or Microsoft Communicator are used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Manage the software and security updates you need to deploy to the servers, desktop, and mobile systems in your organization.
The Microsoft TechNet Security website provides additional information about security in Microsoft products. File information This update may not contain all the files that you must have to fully update a product to the latest build. Need more help? Expand your skills. Get new features first. Was this information helpful? Yes No. Thank you! Any more feedback? The more you tell us the more we can help.
Can you help us improve? Resolved my issue. Clear instructions. Update replacement information This update replaces the previously released update that is discussed in Microsoft Knowledge Base KB article For more information, click the following article number to view the article in the Microsoft Knowledge Base: Description of the Communicator R2 hotfix rollup package: May Registry information You do not have to make any changes to the registry to apply this update.
File information This update may not contain all the files that you must have to fully update a product to the latest build. After the update is installed, the global version of this update has the file attributes, or a later version of the file attributes, that are listed in the following table: File name File version File size Date Time Platform Appshapi.
Need more help? Expand your skills. Get new features first. Was this information helpful? Yes No. Thank you! Any more feedback? The more you tell us the more we can help. Can you help us improve? Whether you must make any registry changes. The files that the update contains. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base: Description of the update for Live Meeting Conferencing Add-in for Outlook: July Description of the update package for Office Communications Server R2: July, This cumulative update also includes the following previously released update: An Automatic Update download is not initiated on a computer that is running Office Communicator R2 build 3.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base: How to obtain Microsoft support files from online services Microsoft scanned this file for viruses. Prerequisites There are no prerequisites for installing this update package. Restart requirement You may have to restart the computer if certain dependencies of Office Communicator are still running when the update is applied. Update replacement information This update replaces the previously released update that is discussed in Microsoft Knowledge Base KB article For more information, click the following article number to view the article in the Microsoft Knowledge Base: Description of the Communicator R2 hotfix rollup package: May Registry information You do not have to make any changes to the registry to apply this update.
File information This update may not contain all the files that you must have to fully update a product to the latest build. After the update is installed, the global version of this update has the file attributes, or a later version of the file attributes, that are listed in the following table: File name File version File size Date Time Platform Appshapi.
0コメント