A spoofing vulnerability was recently found in Skype Business Server. It allows an attacker to implement arbitrary code & perform cross-site scripting attacks on the targeted system. It is also known as “Skype for Business Server Spoofing Vulnerability”.
According to a survey by a Cyber Security Consultancy, it’s found that “An authenticated attacker can misuse the vulnerability by sending an organized request to the targeted software
The attacker once able to venture into the system successfully could then perform cross-site scripting attacks on the affected systems and also run scripts in the security context of that user.
The vulnerability occurs due to incorrect processing of user-supplied data. An unknown authenticated attacker can send a special planned request to the server and trick a victim to click a specially crafted URL and spoof page content.
This can grant the attacker to steal cookie-based authentication credentials and launch other attacks and also to perform unauthorized actions.
Microsoft Skype for Business Server: 2019 CU2.
No such mitigation factors have been identified by Microsoft for this vulnerability.
- • To reduce the impact of the vulnerabilities always run non-administrative software as an underprivileged user with minimum access authority.
- • Expand your company’s Network Interference Detection System (NIDS). It will help to monitor network traffic from malicious attacks. It is not limited to unexplained traffics (both incoming and outgoing) and also indicates exploit attempts or activities that result from successful exploitations.
- • Never follow links suggested by unknown sources. A link from an untrustworthy source may lead youto something unpredictable.
- • Since a successful exploit of this issue allows malicious code to carry out in web clients. It also considers disabling support for script code and active content within the client browser. To be mentioned here, this mitigation trick might adversely affect the legitimate websites that rely on achieving the browser-based script code.
“The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind.All warranties either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.”
To secure your company from such vulnerability attacks always consult with an expert Cyber Security Consultancy.
Leave a Comment:
Get Exclusive Cyber Security Tips On:
Prevention from damage dealt to an organization’s reputation.
Investments on fixing the issues caused by attack.
Preventing confidential data and Intellectual Property being stolen
Prevention of revenue loss due to service disruption and much more.