The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Skype for Business

vulnerability CVE-2017-11786

Microsoft Lync 2013, Skype: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Microsoft Lync 2013 or Skype, in order to escalate his privileges.
Impacted products: Lync, Skype for Business.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 11/10/2017.
Identifiers: CERTFR-2017-AVI-346, CVE-2017-11786, VIGILANCE-VUL-24090.

Description of the vulnerability

An attacker can bypass restrictions of Microsoft Lync 2013 or Skype, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-8676 CVE-2017-8695 CVE-2017-8696

Microsoft Lync/Skype: vulnerabilities of September 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft products.
Impacted products: Lync, Skype for Business.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 13/09/2017.
Identifiers: CERTFR-2017-AVI-297, CVE-2017-8676, CVE-2017-8695, CVE-2017-8696, VIGILANCE-VUL-23825.

Description of the vulnerability

An attacker can use several vulnerabilities of Microsoft products.

The document located in information sources was generated by Vigil@nce from the Microsoft database. It contains details for each product.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-9948

Microsoft Skype Client: buffer overflow via Clipboard Format

Synthesis of the vulnerability

An attacker can generate a buffer overflow via Clipboard Format of Microsoft Skype, in order to trigger a denial of service, and possibly to run code.
Impacted products: Skype for Business.
Severity: 3/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 26/06/2017.
Identifiers: CVE-2017-9948, VIGILANCE-VUL-23084.

Description of the vulnerability

An attacker can generate a buffer overflow via Clipboard Format of Microsoft Skype, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-0283 CVE-2017-8527 CVE-2017-8550

Microsoft Skype for Business: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Skype for Business.
Impacted products: Skype for Business.
Severity: 4/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 14/06/2017.
Identifiers: CERTFR-2017-AVI-176, CVE-2017-0283, CVE-2017-8527, CVE-2017-8550, VIGILANCE-VUL-22968.

Description of the vulnerability

An attacker can use several vulnerabilities of Microsoft Skype for Business.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-0281

Microsoft Skype for Business: memory corruption

Synthesis of the vulnerability

An attacker can generate a memory corruption of Microsoft Skype for Business, in order to trigger a denial of service, and possibly to run code.
Impacted products: Skype for Business.
Severity: 3/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: intranet client.
Creation date: 10/05/2017.
Identifiers: CERTFR-2017-AVI-145, CVE-2017-0281, VIGILANCE-VUL-22687.

Description of the vulnerability

An attacker can generate a memory corruption of Microsoft Skype for Business, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-6517

Microsoft Skype: executing DLL code via api-ms-win-core-winrt-string-l1-1-0.dll

Synthesis of the vulnerability

An attacker can create a malicious api-ms-win-core-winrt-string-l1-1-0.dll DLL, and then put it in the current directory of Microsoft Skype, in order to execute code.
Impacted products: Skype for Business.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 17/03/2017.
Identifiers: CVE-2017-6517, VIGILANCE-VUL-22167.

Description of the vulnerability

The Microsoft Skype product uses external shared libraries (DLL).

However, if the working directory contains a malicious api-ms-win-core-winrt-string-l1-1-0.dll DLL, it is automatically loaded.

An attacker can therefore create a malicious api-ms-win-core-winrt-string-l1-1-0.dll DLL, and then put it in the current directory of Microsoft Skype, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-0060 CVE-2017-0073 CVE-2017-0108

Skype for Business: vulnerabilities of March 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft products.
Impacted products: Skype for Business.
Severity: 3/4.
Consequences: user access/rights.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 14/03/2017.
Identifiers: CVE-2017-0060, CVE-2017-0073, CVE-2017-0108, VIGILANCE-VUL-22131.

Description of the vulnerability

An attacker can use several vulnerabilities of Microsoft products.

The document located in information sources was generated by Vigil@nce from the Microsoft database. It contains details for each product.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-3209 CVE-2016-3262 CVE-2016-3263

Windows, .NET, Office, Skype, Lync, Silverlight: seven vulnerabilities via Graphics Component

Synthesis of the vulnerability

Several vulnerabilities were announced in Windows, .NET, Office, Skype, Lync and Silverlight.
Impacted products: Lync, .NET Framework, Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Silverlight, Skype for Business, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 4/4.
Consequences: user access/rights, data reading, denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 12/10/2016.
Identifiers: 3192884, 825, 829, 864, 868, CERTFR-2016-AVI-340, CVE-2016-3209, CVE-2016-3262, CVE-2016-3263, CVE-2016-3270, CVE-2016-3393, CVE-2016-3396, CVE-2016-7182, MS16-120, VIGILANCE-VUL-20829.

Description of the vulnerability

Several vulnerabilities were announced in Windows, .NET, Office, Skype, Lync and Silverlight.

An attacker can use a vulnerability via GDI+, in order to run code. [severity:4/4; CVE-2016-3393]

An attacker can use a vulnerability via GDI+, in order to run code. [severity:4/4; CVE-2016-3396]

An attacker can bypass security features via GDI+, in order to obtain sensitive information. [severity:2/4; CVE-2016-3209]

An attacker can bypass security features via GDI+, in order to obtain sensitive information. [severity:2/4; CVE-2016-3262]

An attacker can bypass security features via GDI+, in order to obtain sensitive information. [severity:2/4; CVE-2016-3263]

An attacker can bypass security features via True Type Font, in order to escalate his privileges. [severity:2/4; CVE-2016-7182]

An attacker can bypass security features via Win32k, in order to escalate his privileges. [severity:2/4; CVE-2016-3270]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin 19918

Skype for Business: information disclosure via the response time

Synthesis of the vulnerability

An attacker can measure the response time of the Web authentication of Skype for Business, in order to obtain usernames.
Impacted products: Skype for Business.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 17/06/2016.
Identifiers: VIGILANCE-VUL-19918.

Description of the vulnerability

The Skype for Business product includes a Web interface and can use a private directory as an account database.

However, the response time of a Web authentication request mainly depends on whether the username is valid.An attacker who can guess realistic values for usernames can check his guess without access to the directory. In the case of a Windows Active Directory, the guessed account names are also system accounts and maybe mail accounts.

An attacker can therefore measure the response time of the Web authentication of Skype for Business, in order to obtain usernames.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-0143 CVE-2016-0145 CVE-2016-0165

Windows, .NET, Office, Skype, Lync: four vulnerabilities of Graphics Component

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Graphics Component of Windows, .NET, Office, Skype, Lync.
Impacted products: Lync, .NET Framework, Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Skype for Business, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/04/2016.
Identifiers: 3148522, 684, 707, CERTFR-2016-AVI-122, CERTFR-2016-AVI-123, CVE-2016-0143, CVE-2016-0145, CVE-2016-0165, CVE-2016-0167, MS16-039, VIGILANCE-VUL-19354.

Description of the vulnerability

Several vulnerabilities were announced in Windows, .NET, Office, Skype, Lync.

An attacker can bypass security features in Win32k, in order to escalate his privileges. [severity:2/4; CVE-2016-0143]

An attacker can generate a memory corruption, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2016-0145]

An attacker can bypass security features in Win32k, in order to escalate his privileges. [severity:2/4; CVE-2016-0165]

An attacker can bypass security features in Win32k, in order to escalate his privileges. [severity:2/4; CVE-2016-0167]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Skype for Business: