I’m not completely surprised by their decision not to fix the problem.
The Microsoft Security Advisory can be found here: September, 11 2018 – Microsoft discloses existence of vulnerability CVE-2018-8474.July 2018 – Microsoft has decided they won’t be publishing fix after all.May 2018 – Microsoft decides to fix it after all.April 2018 – File with MITRE for CVE, MITRE contacts Microsoft.March 2018 – Microsoft decides not to fix.November 2017 – Microsoft has been able to replicate issue.I reported this to Microsoft in July 2017 and the MSRC opened a ticket. While tags were blocked, and various other JavaScript injections failed, I discovered that an tag would spawn a browser session to the target URL.Ī slightly less-useful trick is to embed an image directly into the chat by sending tags:ĭisclosure Timeline and Microsoft’s Response This successfully modified the message formatting, so I then extended testing to other HTML tags. To begin with, I experimented with sending or tags to style the text. I used ‘PowerSkype’ by Karl Fosaaen of NetSPI as a base ( ).
It is the result of a failure to sanitize input that is taken in via the Lync 2013 PowerShell SDK.
By TrustedSec in Penetration Testing, Security Testing & AnalysisĪn attacker can force a user who is logged in with Microsoft Lync for Mac 2011 ( instead of a block.
