Lync Remote Code Execution Vulnerability – 9 July 2013

Microsoft has published a Critical security bulletin (MS13-054) detailing a “Vulnerability in GDI+ [That] Could Allow Remote Code Execution (2848295)”.

“This security update resolves a privately reported vulnerability in Microsoft Windows, Microsoft Office, Microsoft Lync, and Microsoft Visual Studio. The vulnerability could allow remote code execution if a user views shared content that embeds TrueType font files”.

The bulletin is HERE.

Products impacted

It seems quite a significant potential vulnerability (noting that it was ”privately reported”), with potential impact to all the operating systems released in the last decade, from XP to Windows 8, RT & Server 2012, as well as Office from 2003 to 2010.

In the UC space, it impacts the following products:

I’ve also placed the download links on the respective Lync Resource Toolkit pages (at the very top of the right-hand menus).

A Silver Lining

It would seem that when a Hotfix like this is released, we also get the latest “working version” of the client update. Accordingly, some improvements to Lync 2013 have snuck into this release, although they’re not formally documented. Blogging power-house Matt Landis has collated several of the ‘found’ improvements HERE, which include:

Thanks to all for unearthing and posting these beauties!

Before & After

Here are the before and after shots from both the full version of the Lync 2013 client. I decided to exit the client before I applied the update, but alas, I still needed the reboot:

Blast-aReboot

Before (with May Hotfix) After
Lync 15.0.4481.1000 MSO 15.0.4420.1017 Lync 15.0.4517.1004 MSO 15.0.4420.1017
"Before" "After"

 

G.

Leave a Reply

Your email address will not be published.

... and please just confirm for me that you're not a bot first: Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.