The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer threat bulletin for Skype for Business: information disclosure via the response time - 19918

Synthesis of the vulnerability

An attacker can measure the response time of the Web authentication of Skype for Business, in order to obtain usernames.
Severity of this computer vulnerability: 2/4.
Creation date: 17/06/2016.
Références of this announce: VIGILANCE-VUL-19918.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Skype for Business product includes a Web interface and can use a private directory as an account database.

However, the response time of a Web authentication request mainly depends on whether the username is valid.An attacker who can guess realistic values for usernames can check his guess without access to the directory. In the case of a Windows Active Directory, the guessed account names are also system accounts and maybe mail accounts.

An attacker can therefore measure the response time of the Web authentication of Skype for Business, in order to obtain usernames.
Full Vigil@nce bulletin... (Free trial)

This security threat impacts software or systems such as Skype for Business.

Our Vigil@nce team determined that the severity of this computer weakness note is medium.

The trust level is of type unique source, with an origin of internet client.

An attacker with a expert ability can exploit this computer threat alert.

Solutions for this threat

Skype for Business: workaround.
A workaround is to disable the external access.
The information source states that Microsoft will not fix this.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an application vulnerability announce. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.