Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2017.0147
Security updates for Microsoft Skype for Business and Lync
13 September 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Skype for Business and Lync
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-8696 CVE-2017-8695 CVE-2017-8676
Member content until: Friday, October 13 2017
Reference: ASB-2017.0142
OVERVIEW
Microsoft has released its monthly security patch update for the
month of September 2017. [1]
This update resolves 3 vulnerabilities across the following
products:
Microsoft Lync 2010 (32-bit)
Microsoft Lync 2010 (64-bit)
Microsoft Lync 2010 Attendee (admin level install)
Microsoft Lync 2010 Attendee (user level install)
Microsoft Lync 2013 Service Pack 1 (32-bit)
Microsoft Lync 2013 Service Pack 1 (64-bit)
Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
Microsoft Lync Basic 2013 Service Pack 1 (64-bit)
Skype for Business 2016 (32-bit)
Skype for Business 2016 (64-bit)
Skype for Business 2016 Basic (32-bit)
Skype for Business 2016 Basic (64-bit)
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2017-8676 Information Disclosure Important
CVE-2017-8695 Information Disclosure Important
CVE-2017-8696 Remote Code Execution Important
MITIGATION
Microsoft recommends updating the software with the version made
available on the Microsoft Update Cataloge for the following
Knowledge Base articles. [1]
KB3213568, KB4025865, KB4025866, KB4011107, KB4011040 KB4025867
REFERENCES
[1] Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWbiHv4x+lLeg9Ub1AQjIwQ//Z4X2a2q2WkmS5s/xj1834HL3FDT65FF4
G65RFY2DBSJgUIu2xVHv3zJleNFw2s8IihG0ZeH1OQvGG8R/t9rwApHepc+kIgJt
Ek6wLRR/nsTueEgW5uv4UaihEH5kv4aUVZ+WAFwgn/dqz2sxx0FJo+A5PMPSVVCZ
TPS6JqMdExjDPhbTdo8d7DQ9VDugIPbbNS2+rEq8xE27ZS5TZjwearBpD2dceimD
T3kIrYPIg9QIk5/LNVvIAVRze04z3DON2uwsvHtrNJezFvSmZfPp6YiruhuzsJcM
BH9kzsiZm3EpixLQWzIhBC2vlCdiinoy2zgE12DWKNRQJz35Jdw8rSO9De4t6A16
7HiERNQOkdPAHDuZolRLSZwoWnGvsxySJmMzV4I0+SzkI96tOnBZ8jpsLKoBT9YF
iPzNSphZM6O0XJDa6vavPQCHIgUQllb0O7HbuhSLS3uTyYkiZf/orvxTgLkPR0+2
J2cw5y8tEtQtsONQvcTI3bHztRAuEQyw9F9BYRkcJoWkLJ+rXTJQ+/jxnN9+Ko4r
gy8sbyvW6WJEdUgyZm4Adsvh+KottEOh8MR5ReLTdnB7mdKceVvL+ujlTOs8jncQ
XJXRoNpKzRz7kIJ5ptTWciL5pJpnFRUNDp98drQP8GRCIJrEAvBUpqCa8bfTItBr
gBwVg+Pue+M=
=L+xv
-----END PGP SIGNATURE-----