The issue allows a remote attacker to execute code by tricking a victim into performing some typical action such as opening document file without any warning being shown to the user. It is worth noting that the flaw is only exploitable on systems running Windows 7 and older versions of the operating system that are no longer supported by Microsoft. Another mitigating factor is that the attack requires user interaction. Users are advised to download the newest version of the client app.
Over the weekend the company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
“Account owners and admins can upgrade to SRTP with AES-256 bit encryption for specific sites and models. By default, AES-128 bit is enabled. Admins must enable AES-256 bit in the web portal,” according to the released notes on the update.
Additionally, the update introduces a “call monitoring” feature for Mobile users which allows them to “listen to a call without the parties being aware; speak to a phone user in a call without other parties being aware; join a call and speak to all parties; or take over the call from another user.”
The July 12th Web update also comes with several new features, including a customized speed dial supporting the busy lamp field (BLF) feature, call parking, the ability to create a shared directory of external contacts, and “minor bug fixes.”