Windows : Microsoft Bulletins : Microsoft Lync Remote Code Execution Vulnerabilities (2707956)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.902842

Categoría: Windows : Microsoft Bulletins

Título: Microsoft Lync Remote Code Execution Vulnerabilities (2707956)

Resumen: This host is missing a critical security update according to; Microsoft Bulletin MS12-039.

Descripción: Summary:
This host is missing a critical security update according to
Microsoft Bulletin MS12-039.

Vulnerability Insight:
- An error within the Win32k kernel-mode driver (win32k.sys) when parsing
TrueType fonts.

- An error in the t2embed.dll module when parsing TrueType fonts.

- The client loads libraries in an insecure manner, which can be exploited
to load arbitrary libraries by tricking a user into opening a '.ocsmeet'
file located on a remote WebDAV or SMB share.

- An unspecified error in the 'SafeHTML' API when sanitising HTML code can
be exploited to execute arbitrary HTML and script code in the user's chat
session.

Vulnerability Impact:
Successful exploitation could allow an attacker to execute arbitrary code
with kernel-level privileges. Failed exploit attempts may result in a
denial of service condition.

Affected Software/OS:
- Microsoft Lync 2010

- Microsoft Lync 2010 Attendee

- Microsoft Lync 2010 Attendant

- Microsoft Communicator 2007 R2

Solution:
The vendor has released updates. Please see the references for more information.

CVSS Score:
9.3

CVSS Vector:
AV:N/AC:M/Au:N/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2011-3402
Cert/CC Advisory: TA11-347A
http://www.us-cert.gov/cas/techalerts/TA11-347A.html
Cert/CC Advisory: TA12-129A
http://www.us-cert.gov/cas/techalerts/TA12-129A.html
Cert/CC Advisory: TA12-164A
http://www.us-cert.gov/cas/techalerts/TA12-164A.html
http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files
http://isc.sans.edu/diary/Duqu+Mitigation/11950
http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdf
Microsoft Security Bulletin: MS11-087
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087
Microsoft Security Bulletin: MS12-034
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-034
Microsoft Security Bulletin: MS12-039
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13998
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15290
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15645
http://www.securitytracker.com/id?1027039
http://secunia.com/advisories/49121
http://secunia.com/advisories/49122
Common Vulnerability Exposure (CVE) ID: CVE-2012-0159
BugTraq ID: 53335
http://www.securityfocus.com/bid/53335
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15388
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15667
XForce ISS Database: microsoft-truetype-code-exec(75124)
https://exchange.xforce.ibmcloud.com/vulnerabilities/75124
Common Vulnerability Exposure (CVE) ID: CVE-2012-1849
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14874
Common Vulnerability Exposure (CVE) ID: CVE-2012-1858
Cert/CC Advisory: TA12-192A
http://www.us-cert.gov/cas/techalerts/TA12-192A.html
Microsoft Security Bulletin: MS12-037
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037
Microsoft Security Bulletin: MS12-050
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-050
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15530

Copyright Copyright (C) 2012 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.902842
Categoría:	Windows : Microsoft Bulletins
Título:	Microsoft Lync Remote Code Execution Vulnerabilities (2707956)
Resumen:	This host is missing a critical security update according to; Microsoft Bulletin MS12-039.
Descripción:	Summary: This host is missing a critical security update according to Microsoft Bulletin MS12-039. Vulnerability Insight: - An error within the Win32k kernel-mode driver (win32k.sys) when parsing TrueType fonts. - An error in the t2embed.dll module when parsing TrueType fonts. - The client loads libraries in an insecure manner, which can be exploited to load arbitrary libraries by tricking a user into opening a '.ocsmeet' file located on a remote WebDAV or SMB share. - An unspecified error in the 'SafeHTML' API when sanitising HTML code can be exploited to execute arbitrary HTML and script code in the user's chat session. Vulnerability Impact: Successful exploitation could allow an attacker to execute arbitrary code with kernel-level privileges. Failed exploit attempts may result in a denial of service condition. Affected Software/OS: - Microsoft Lync 2010 - Microsoft Lync 2010 Attendee - Microsoft Lync 2010 Attendant - Microsoft Communicator 2007 R2 Solution: The vendor has released updates. Please see the references for more information. CVSS Score: 9.3 CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2011-3402 Cert/CC Advisory: TA11-347A http://www.us-cert.gov/cas/techalerts/TA11-347A.html Cert/CC Advisory: TA12-129A http://www.us-cert.gov/cas/techalerts/TA12-129A.html Cert/CC Advisory: TA12-164A http://www.us-cert.gov/cas/techalerts/TA12-164A.html http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files http://isc.sans.edu/diary/Duqu+Mitigation/11950 http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-291-01E.pdf Microsoft Security Bulletin: MS11-087 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-087 Microsoft Security Bulletin: MS12-034 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-034 Microsoft Security Bulletin: MS12-039 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-039 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13998 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15290 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15645 http://www.securitytracker.com/id?1027039 http://secunia.com/advisories/49121 http://secunia.com/advisories/49122 Common Vulnerability Exposure (CVE) ID: CVE-2012-0159 BugTraq ID: 53335 http://www.securityfocus.com/bid/53335 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15388 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15667 XForce ISS Database: microsoft-truetype-code-exec(75124) https://exchange.xforce.ibmcloud.com/vulnerabilities/75124 Common Vulnerability Exposure (CVE) ID: CVE-2012-1849 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14874 Common Vulnerability Exposure (CVE) ID: CVE-2012-1858 Cert/CC Advisory: TA12-192A http://www.us-cert.gov/cas/techalerts/TA12-192A.html Microsoft Security Bulletin: MS12-037 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-037 Microsoft Security Bulletin: MS12-050 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-050 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15530
Copyright	Copyright (C) 2012 Greenbone AG