I see Microsoft has just released a security update for the Lync 2013 Client (kb2881013) which appears to be the Lync-specific fix under the MS14-036 security bulletin umbrella (and which is why clicking the kb’s link takes you to the bulletin’s page).
This update takes the Lync 2013 Client to 15.0.4623.1000.
"This security update resolves a resolves a vulnerability in Microsoft Lync that could allow information disclosure if a user opens a specially crafted Lync meeting request."
What’s New / Fixed?
The update also includes some bugfixes:
2962975 Lync 2013 starts and prompts you for credentials when you join meeting without account that is provisioned for Lync 2013
2968239 "An error occurred" error when a Lync 2013 user joins a Lync Online meeting that is created by a non-federated user
2968243 Lync 2013 crashes when you annotate in a shared whiteboard or present a PPT after recording
2968248 Lync 2013 video quality is low when you scale up the size of the video window in UI suppression mode
2968251 Update adds an upload notification when you upload PPT in a meeting in Lync 2013
2962990 Escape special characters when creating a contact or group in UCS mode in the packet that is sent to the server
2962980 Lync 2013 prompts you for Exchange credential in an Exchange deployed environment
2962982 Caller’s display name is not in the toast notification when you receive a call in Lync 2013
2962986 Lync 2013 takes a long time to sign in after it is disconnected from a front-end server
2962989 Lync 2013 freezes during signing in when you have a long-time meeting scheduled in your Outlook calendar
Known Issues
There are no "known issues" listed, however this update appears to still leave the Outlook 2010 contact issue unresolved, so I’ll again paste the warning I’ve attached to all recent Client updates:
If you install this update, users of Outlook 2007 and and Outlook 2010 will no longer be able to see (or call) the numbers of their Outlook Contacts. Microsoft is aware of this and offers two work-arounds: edit the Contact to remove their e-mail address, or change the user’s CsClientPolicy to set “DisplayPhoto” to “NoPhoto”. Bounce the clients, wait for a contact re-fresh/re-synch and all will be well – just a bit clunky without the photos. This has been fixed in the August 2014 update – at least for Outlook 2010. |
Pre-Requisites
Several of these have been updated since the May patch:
Update |
Download |
Current Version |
Released |
Office 2013 MSO (kb2878316) * |
x86 x64 |
1.0 | 29 April 2014 |
MSORES (kb2817624) | x86 x64 |
1.0 | 6 Sept 2013 |
IDCRL (kb2820640) | x86 x64 |
1.0 | 6 May 2014 |
LyncHelp (kb2850074) | x86 x64 |
1.0 | 2 June 2014 |
* The MSO pre-req kb2878316 appears to be the Office 2013 fixes under the MS14-023 security bulletin umbrella.
Download
It looks to me like this update delivers the Lync client bugfixes (itemised above) and the security fix in separate installers. The bugfixes are all documented in the article for kb2850074 – the LyncHelp pre-req. Meanwhile, Lync’s Help/About won’t reflect the new release until you install one of these updates – so that’s presumably where the fix for the “specifically crafted meeting request” in the security bulletin resides:
Reboot?
I exited Lync on my x64 Win 8.1 machine before applying any updates and the process required no reboot.
Before & After
Here’s a before and after comparison of my client on a Windows 8.1 machine.
Before |
After |
Lync 15.0.4615.1000 MSO 15.0.4615.1000 | Lync 15.0.4623.1000 MSO 15.0.4615.1000 |
[This post was edited significantly on July 1st, replacing the earlier interim post while I was on leave overseas].
– G.