Multiple vulnerabilities in Microsoft Lync



Published: 2017-03-15
Risk High
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2017-0108
CVE-2017-0073
CVE-2017-0060
CWE-ID CWE-119
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #3 is available.
Vulnerable software
Subscribe
Microsoft Lync
Client/Desktop applications / Messaging software

Lync Attendee
Client/Desktop applications / Messaging software

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Memory corruption

EUVDB-ID: #VU6060

Risk: High

CVSSv3.1:

CVE-ID: CVE-2017-0108

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper handling of objects in memory by Windows Graphics Device Interface (GDI). A remote attacker can create a specially crafted Web site containing a malicious Word content, trick the victim into visiting it and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in arbitrary code execution on the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Lync: 2010 - 2013


CPE2.3 External links

http://technet.microsoft.com/en-us/library/security/MS17-013

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Information disclosure

EUVDB-ID: #VU6045

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-0073

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper handling of objects in memory by Windows Graphics Device Interface (GDI). A local attacker can run a specially crafted application and retrieve information from a targeted system.

Successful exploitation of the vulnerability may result in information disclosure on the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Lync Attendee: 2010 - 2013


CPE2.3 External links

http://technet.microsoft.com/en-us/library/security/MS17-013

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Information disclosure

EUVDB-ID: #VU6042

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-0060

CWE-ID: CWE-200 - Information Exposure

Exploit availability: Yes

Description

The vulnerability allows a local attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper handling of objects in memory by Windows Graphics Device Interface (GDI). A local attacker can run a specially crafted application and retrieve information from a targeted system.

Successful exploitation of the vulnerability may result in information disclosure on the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft Lync: 2010 - 2013


CPE2.3 External links

http://technet.microsoft.com/en-us/library/security/MS17-013

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###