Category Archives: Uncategorized

Out of band security advisory related to TIFF that could allow remote code execution #Lync #Office

Microsoft today released a out-of-band security advisory on an issue with how Office clients, Lync included handle TIFF files, this exploit could allow remote code execution and I think this is the second time that TIFF is affected in about a year if I am not mistaken.

For more information please see the official advisory from Microsoft

Microsoft Security Advisory (2896666)

There is a workaround published describing how to mitigate this by disabling the TIFF codec.

Disable the TIFF codec

Note See Microsoft Knowledge Base Article 2896666 to use the automated Microsoft Fix it solution to enable or disable this workaround.

You can prevent TIFF files from being displayed by modifying the registry to control the parsing of the TIFF codec. By changing the registry entries, you can control which images are parsed and rendered and which images are rejected in GDI+. For example, you can select to parse and render Joint Photographic Experts Group (JPEG) images, but block Tagged Image File Format (TIFF) images.

Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Note After you change a registry entry, you must restart the application that uses the codec.

To disable the TIFF codec:

  1. To add a registry entry, create the following registry subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Gdiplus
  2. Create a DWORD value for the TIFF code by creating a registry entry (DWORD value) under the registry subkey you created in step 1:DisableTIFFCodec
  3. To disable the TIFF codec, set value of the DisableTIFFCodec registry entry to 1.

Impact of Workaround. You will not be able to view TIFF files.

How to undo the workaround

To re-enable the TIFF codec, set the value of the DisableTIFFCodec registry entry to 0.

#lync ama on reddit, right now

Ok it all started like 2-3 hours ago, and some 400 comments in right now.

If you are not in to reddit i suggest you check this chat out, Reddit is a site iwe been visiting more and more lately.

http://www.reddit.com/r/IAmA/comments/1n3m6i/we_are_four_people_from_microsoft_that_work_on/?limit=500

Come join the fun! and ask the Lync team your questions!

Hold of your updates for a minute #office365 #Lync #ADFS

Just got off the phone with the Office 365 support, (a great experience again btw)

Anyway, one of my customers had automatic updates on their ADFS servers and the latest batch kills ADFS. Where none of the users could logon this morning.
The guy I talked to had taken a lot of calls already and knew exactly where to look

So if its broken right now or soon… look at those update!

/Tommy

Back from MCSM and will share the knowledge next week

Before the MCSM I felt like, hey I’m an MVP, I run my own trainings on Lync and well I felt pretty confident that I know most of these Lync thing pretty well.

Oh was I wrong… anyway, I learned A LOT

And next week I run a LyncLab at labcenter with some seats left.

So if you are in Sweden and got nothing better to do Open-mouthed smile

http://www.labcenter.se/home#lab=Mastering_Lync_Server_2013_-_Experts_

Security Update: Vulnerability in TCP/IP Could Allow Denial of Service on Lync Server 2013

From NextHop http://blogs.technet.com/b/nexthop/archive/2013/02/27/security-update-vulnerability-in-tcp-ip-could-allow-denial-of-service.aspx

A security bulletin was recently issued by the Windows Server group: Microsoft Security Bulletin MS13-018 – Important.

It has been determined that this particular security issue in the TCP stack could pose a threat to systems running Lync Server 2013. 

It is required that deployments with Lync Server 2013 ensure that the operating system is updated with this security patch.

Additional Information

For information on the vulnerability and required actions, please refer to the following articles:

Joshua Williams talk on Microsoft Productivity Games (A bit of topic but still #Lync)

Presentation of Joshua Williams (Microsoft) during Nonick 2012.

Joshua Williams spends time, passion and energy working on making software development better for the Microsoft Lync Client Team. He is involved in Microsoft’s Productivity Games Department. Over the past 17 years, he has contributed to shipping several versions of Microsoft Windows, Microsoft Lync and now Microsoft Office.