MS15-123: Security update for Skype for Business and Lync to address information disclosure: November 10, 2015

View products that this article applies to.

Summary

This security update resolves a vulnerability in Skype for Business and Microsoft Lync. The vulnerability could allow information disclosure if an attacker invites a user to an instant message session and then sends that user a message that contains specially crafted JavaScript content. To learn more about the vulnerability, see Microsoft Security Bulletin MS15-123.

↑ Back to the top

More information about this security update

The following articles contain more information about this security update as it relates to individual product versions. The articles may contain known issue information.

3101496 MS15-116 and MS15-123: Description of the security update for Lync 2013 (Skype for Business): November 10, 2015
3096738 MS15-123: Description of the security update for Lync 2010 Attendee (admin level install): November 10, 2015
3096736 MS15-123: Description of the security update for Lync 2010 Attendee (user level install): November 10, 2015
3096735 MS15-123: Description of the security update for Lync 2010: November 10, 2015
3085634 MS15-116 and MS15-123: Description of the security update for Skype for Business 2016: November 10, 2015

Nonsecurity-related fixes that are included in this security update

↑ Back to the top

Security update deployment information

Microsoft Lync 2010, Microsoft Lync 2010 Attendee, Microsoft Lync 2013 (Skype for Business), Microsoft Lync Basic 2013 (Skype for Business Basic), Skype for Business 2016, and Skype for Business Basic 2016

Reference table

The following table contains the security update information for this software.

Security update file name	For Microsoft Lync 2010 (32-bit) (3096735): lync.msp
	For Microsoft Lync 2010 (64-bit) (3096735): lync.msp
	For Microsoft Lync 2010 Attendee (user level install) (3096736): AttendeeUser.msp
	For Microsoft Lync 2010 Attendee (admin level install) (3096738): AttendeeAdmin.msp
	For all supported 32-bit editions of Microsoft Lync 2013 (Skype for Business) and Microsoft Lync Basic 2013 (Skype for Business Basic): lync2013-kb3101496-fullfile-x86-glb.exe
	For all supported 64-bit editions of Microsoft Lync 2013 (Skype for Business) and Microsoft Lync Basic 2013 (Skype for Business Basic): lync2013-kb3101496-fullfile-x64-glb.exe
	For all supported 32-bit editions of Skype for Business 2016 and Skype for Business Basic 2016: lync2016-kb3085634-fullfile-x86-glb.exe
	For all supported 64-bit editions of Skype for Business Basic 2016: lync2016-kb3085634-fullfile-x64-glb.exe
Installation switches	See Microsoft Knowledge Base Article 912203
Restart requirement	In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart. To help reduce the possibility that a restart will be required, stop all affected services and close all applications that may use the affected files before you install the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Removal information	Use Add or Remove Programs item in Control Panel.
File information	For all supported editions of Microsoft Lync 2010: See Microsoft Knowledge Base Article 3096735
	For Microsoft Lync 2010 Attendee (user level install): See Microsoft Knowledge Base Article 3096736
	For Microsoft Lync 2010 Attendee (admin level install): See Microsoft Knowledge Base Article 3096738
	For Microsoft Link 2013 (Skype for Business) and Microsoft Link Basic 2013 (Skype for Business Basic): See Microsoft Knowledge Base Article 3101496
	For Skype for Business 2016 and Skype for Business Basic 2016: See Microsoft Knowledge Base Article 3085634
Registry key verification	For Microsoft Lync 2010 (32-bit): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} Version = 7577.4484
	For Microsoft Lync 2010 (64-bit): HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} Version = 7577.4484
	For Microsoft Lync 2010 Attendee (admin level install): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\94E53390F8C13794999249B19E6CFE33\InstallProperties\DisplayVersion = 4.0.7577.4484
	For Microsoft Lync 2010 Attendee (user level install): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0EEB34F6-991D-4a1b-8EEB-772DA0EADB22} Version = 7577.4484
	For Microsoft Lync 2013 (Skype for Business) and Microsoft Lync Basic 2013 (Skype for Business Basic): Not applicable
	For Skype for Business 2016 and Skype for Business Basic 2016: Not applicable

Microsoft Lync Room System

Reference table

The following table contains the security update information for this software.

Security update file name	For SMART Room System (3108096): SMARTLyncRoomUpdates.exe
	For Crestron RL (3108096): CrestronLyncRoomUpdates.exe
Installation switches	See Microsoft Knowledge Base Article 912203
Restart requirement	A system restart is required after you apply this security update.
Removal Information	The updates are removable only by performing a factory reset.
File information	For SMART Room System: See Microsoft Knowledge Base Article 3108096
	For Crestron RL: See Microsoft Knowledge Base Article 3108096
Registry key verification	For SMART Room System: Not applicable
	For Crestron RL: Not applicable

File hash information

File name	SHA1 hash	SHA256 hash
AttendeeAdmin.msp	A22099CBD39776DA7EE5684D2F8C1660FB71E2C8	2852B9E5685E4BF22DFC875CE5AF80D5BE4CA1CD0BC3BD34B5A66A19B92043BF
AttendeeUser.msp	5B1D73552142D8E10833ED251C85324499E54CA3	55E3687D1028AF83DF008D8671C762BCBEA4418B3AC0722CDA1FCAF0A7018897
CrestronLyncRoomUpdates.exe	BC5D328BD296212DE2063356204C7CC82F820A5A	AE2F0F4FD263B03B8F79DBA587F0FB30F9D1C4D366D1FA071E99C2AA613550BA
Lync.msp (For x64-based versions)	33B66E65C61662E3E51F3504C06ED49AF7B76CE6	8C4850E9C71325DD71BE0CDB040B09BB8C10917030CE96DC8DE8BE02F30FC5E4
Lync.msp (For x86-based versions)	F06A8F8AC4FD53B4424305A164F9A0C716409DAC	63559FF9BF347E32A84B554F668558AD8DD0C68853308EE7D52B61C16FD03DB4
SMARTLyncRoomUpdates.exe	A6771BDA5FF97181AF29B64F7D14E94E7E4D7573	B2B3294B113933AB52C3681829DB97276B6DD0D7AA7F20BA184EBAC88EF56E97
lync2013-kb3101496-fullfile-x64-glb.exe	3B4187E79E318E93BA3189C11E86D4570623E920	08677AD12DB42DE94893FB849B18EE450A95F521F110719C74DD96322EB41173
lync2013-kb3101496-fullfile-x86-glb.exe	321B98C24C9AF6816AA81E3515588988D82DE568	7A8EC9A03AF6A503C26641CFEF6AF8BB9D3856D457CA8CC86A4FB55A3591BD01
lync2016-kb3085634-fullfile-x64-glb.exe	6741FDEB39D6B2C65F1F7B950A07C5C701398109	27A9C34B9F0EF74599DB460182954AC67A12D36906D0F4C0BD686542EFB9992F
lync2016-kb3085634-fullfile-x86-glb.exe	01CFA248C92C3C4E8B0D6CE30CBC6B723EEE0D5E	611D1E65FEAB3DC9C8CC68B9CCA4E0D93E5BBA1CEC5D705592C343F06EE1F9FB

How to obtain help and support for this security update

↑ Back to the top

Applies to:

↑ Back to the top

Keywords: atdownload, kbbug, kbexpertiseinter, kbfix, kblangall, kbsecreview, kbsecbulletin, kb, kbsecurity, kbsecvulnerability, kbmustloc

↑ Back to the top

Article Info

Article ID	:	3105872
Revision	:	1
Created on	:	1/7/2017
Published on	:	11/10/2015
Exists online	:	False
Views	:	564

Microsoft KB Archive Search

MS15-123: Security update for Skype for Business and Lync to address information disclosure: November 10, 2015

Summary

More information about this security update

Microsoft Lync 2010, Microsoft Lync 2010 Attendee, Microsoft Lync 2013 (Skype for Business), Microsoft Lync Basic 2013 (Skype for Business Basic), Skype for Business 2016, and Skype for Business Basic 2016

Microsoft Lync Room System

Applies to: