Skype for Business 2015 Server CU8a or CU9?

UPDATE 13/March 21:48 – Microsoft is updating now the info. It’s March2019 update to address a security vulnerability (CVE-2019-0798).Specific details here:
Microsoft Lync Server/Skype for Business spoofing cross site scripting
Better start planning to rollout March/2019 CU9 then! (and Lync 2013 Server if you still use)

I downloaded all the cumulative updates as soon as they are released. I like to keep an history and peek on the changes. Today I need to get the January/2019 CU8, but my repository was unavailable. So I went to official CU download site, but I noticed that the date published was from yesterday, but pointing the the KB3061064 (?!). When I got back the access to my repository, I noticed that this file also has a different version:
SfBupdate-list

Now I have two January/2019 CU with different versions (6.0.9319.537 and 6.0.9319.544) and different file sizes.
Time to dig and spot the differences: there are two msp files that changed:

OcsCore.msp

diff-ocscore
Two noticeable changes:
– non-US dll language files: they were compiled in different dates, but still have the same version number
– The Tracing files (used by CLS/OcsLogger tracing tool). These one have some significant changes:
diff-trancing

EnterpriseWebApp.msp

The files on both packages have the same size, but a ‘look inside’ reveals one particular difference: the ‘Lync.Client.Common.Consolidated.js’ is different.
diff-enterpriseWeb.png

A closer look reveals 5 lines of codes changes (one seems an additional protection)
diff-javascriptupdate

So… since MS didn’t update any documentation so far:

  • Is this CU8 republished?
    If so, MS will now have customers with different files for the same CU
  • Is this a CU9 (or a Cumulative Security update -SU-)?
    It could be, since the date matches the usually releases cycles.

Running the cumulative update installer on a Front-end server with January2019 CU8, confirms the patches changes on the identified components:

unNamedCU

The point the a KB4492303 and KB4492302 that don’t exist.

UPDATE 3/April/2019: Microsoft update the ‘Get updates’ section of KB3061064 section with an additional line:
4494279 Fix for Skype for Business 2015 and Lync Server 2013 spoofing vulnerability

That document mentions a ‘March 20’19 security update’:

The March 2019 security update contains a security fix for the spoofing vulnerability that is described in the following security advisory:

My official guess is now is that this is a SU9 and MS just decided to update this ‘silently’

But some IT engineers might believe that they are downloading and installing CU8 today.

 

Advertisements

One thought on “Skype for Business 2015 Server CU8a or CU9?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.