Today we see one of a (thankfully) rare occurrence – a security update for Skype for Business Server (both 2015 and 2019). A quick search through my blog history says our last one of those was in September 2015! (Has it really been that long?)
Otherwise it’s been two months since our last bugfix update. That was 6.0.9319.580.This is build 6.0.9319.591, and it updated only two components on my Standard Edition Front-End.
- Kb 4564307 Vulnerability exists when Skype for Business Server incorrectly handles OAuth token validation
This security update resolves vulnerabilities that exist when Skype for Business Server incorrectly handles OAuth token validation. To learn more about these vulnerabilities, see Microsoft Common Vulnerabilities and Exposures CVE-2020-1025:
An elevation of privilege vulnerability exists when Microsoft SharePoint Server and Skype for Business Server improperly handle OAuth token validation. An attacker who successfully exploited the vulnerability could bypass authentication and achieve improper access.
To exploit this vulnerability, an attacker would need to modify the token.
The update addresses the vulnerability by modifying how Microsoft SharePoint Server and Skype for Business Server validate tokens.
Nothing noted. No cmdlets have been added to the SfB module in this update.
After you install the January 2019 cumulative update 6.0.9319.537 (CU8) for Microsoft Skype for Business Server 2015, the Unified Communications Web API (UCWA) applications, such as Skype for Business on Mac, a web application for UCWA, and Skype for Business mobile clients, can’t make a call or join a meeting. For more information, please see the following article:
UCWA client cannot make a call or join a meeting after installing Skype for Business Server update 6.0.9319.537
Here’s the “before” view of it going on to my Lab’s Standard Edition Front-End:
The installer didn’t prompt me to reboot, but I always like to give it one for good measure.
15th July 2020: This is the initial release.