- If you typed the web address in the Address bar, make sure that it is spelled correctly.
- Use the search function at the top right of this page to search the UNC School of Medicine / UNC Health Care sites.
- Broken link? Many of the www.med.unc.edu sites and related web pages are maintained by various departments and organizations throughout the UNC School of Medicine. Every effort is made to keep this information updated and accurate. If you would like to assist us in resolving this error, we invite you to contact the owner of the site or email [email protected] and your request will be forwarded to the appropriate site owner. Please include the referring page and information about the page you expected to find.
Links of Interest:
I feel silly asking this. Where can I download the Lync 2010 client. It seems the only install I can find is the Eval. Thanks Rob Nunley Rob, Look on your licensing page, Office 2010 Pro Plus. Adam Curry Rob, Look on your licensing page, Office 2010 Pro Plus. KB 3037355 Lync for Mac 2011 users cannot join Lync meetings that is created in Lync Web Scheduler To install the update, grab the V150716 download – KB3074981 and install over the top of your.
- Lync: Mac 2011 is an aging client, with two product replacements out for it already (Skype for Business, and the new Microsoft Teams). Plus, it’s the Mac client, so the install base is likely on the smaller side.
- Download Lync client - Welcome to Lync Client 2013 downloads page. From here you'll be able to download all the software clients for Microsoft Lync.
- Comment: If your organization uses Lync, you can download a Microsoft Lync 2013 app for your mobile device to stay connected on the go This download contains an update for Lync for Mac the latest version of Microsoft Office 2013 has now been device can successfully download microsoft lync 2013 client for mac download and cache a microsoft lync.
What is it?
An attacker can force a user who is logged in with Microsoft Lync for Mac 2011 (< v14.4.3) to browse to a URL of their choice via a specially crafted instant message. This vulnerability exists due to poor input sanitation in the processing of message content submitted via PowerShell and the Lync 2013 SDK.
No user interaction is required, and the URL will open in whatever the default system browser is set to. If the URL is a link to a file, the browser will behave as though the URL was clicked. If the filetype of the URL target is a known ‘safe’ type, then it will automatically start downloading.
This vulnerability is particularly dangerous if Microsoft Federation is configured to be open, which allows users to receive messages from any Skype for Business user.
This issue is very similar to the input sanitation problem that I found last year in the Windows Skype for Business client (https://www.exploit-db.com/exploits/42316/). In fact, the PowerShell framework is, all the same, only the payload has been modified to hold an <iframe> instead of a <script> block.
This exploit is extremely simple. It is the result of a failure to sanitize input that is taken in via the Lync 2013 PowerShell SDK. I used ‘PowerSkype’ by Karl Fosaaen of NetSPI as a base (https://github.com/NetSPI/PowerShell/blob/master/PowerSkype.ps1).
Lync 2013 Download
A slightly less-useful trick is to embed an image directly into the chat by sending <img> tags:
Disclosure Timeline and Microsoft’s Response
I reported this to Microsoft in July 2017 and the MSRC opened a ticket.
- July 18, 2017 – Reported Issue to Microsoft
- November 2017 – Microsoft has been able to replicate issue
- March 2018 – Microsoft decides not to fix
- April 2018 – File with MITRE for CVE, MITRE contacts Microsoft
- May 2018 – Microsoft decides to fix it after all
- July 2018 – Microsoft has decided they won’t be publishing fix after all
- September, 11 2018 – Microsoft discloses existence of vulnerability CVE-2018-8474
Lync 2010 Free Download
Vmware Horizon Client For Mac Download
The Microsoft Security Advisory can be found here:
I’m not completely surprised by their decision not to fix the problem. Lync: Mac 2011 is an aging client, with two product replacements out for it already (Skype for Business, and the new Microsoft Teams). Plus, it’s the Mac client, so the install base is likely on the smaller side.
With that being said, if they don’t want to fix it, Microsoft should stop recommending it and remove it from their downloads page. If you go to the Skype for Business 2016 Mac client download page you see that they recommend using the Lync 2011 client when connecting to Lync Server 2010.
To test the vulnerability, you will need an attacking machine (a Windows host that can run PowerShell), and a target machine (a Mac with the Lync Mac 2011 client running).
The Setup – Target Machine
This is easy – simply download the Microsoft Lync: Mac 2011 client, open it, and sign in.
The Setup – Attacking Machine
First, you’ll want to set up the Lync 2013 PowerShell SDK. Karl Fosaaen over at NetSPI has a great write-up on getting this started, and I recommend you follow the steps in his post here:
Once you have the Lync 2013 SDK installed, go ahead and grab the CVE-2018-8474 PoC script here.
In order to run it we just need to make one change to the PoC script. Change the $target variable to point at the user you are targeting.
Now, navigate to the location of the PowerShell script and run it.
You should see a prompt appear on the target machine, and the URL should open in a new browser window!
Lync For Mac 2011
What can you do? First, make sure that if your organization uses Macs, that they are held to the same standard for vulnerability management. Especially in big Windows shops, where the only Macs might be a handful in the graphic design department, it’s easy for non-standard machines to fall through the cracks when it comes to patching and managing software.
Second, please please please restrict your Microsoft Federation settings. While the default is to have it enabled, it’s a simple matter to fix by visiting the O365 Settings and whitelisting only the organizations that you wish to communicate with.
Forced browsing isn’t a great exploit on its own. However, paired with a browser or file format exploit, and the forced browsing becomes a terrific payload delivery method. At highest risk are those organizations that have Microsoft’s Federation enabled, allowing external entities to communicate with their users via Skype/Lync.
A forced browsing exploit + browser or file-format exploit + open federation = super spear-phishing. Get easy shells on high-value targets and the user doesn’t even have to click.
In the above scenario, against a user at an organization with open federation, an attacker could wait for their target to log in and force them to browse to a URL of their choosing. Since no user-interaction is required, the likelihood of execution is high.
It’s interesting that both the Windows and Mac clients have had issues with input sanitation, despite the products being run by different teams. It shows that the classic Top 10 OWASP finding — input sanitation — is still a problem for developers in shops of all sizes.
TrustedSec is a highly specialized information security company made up of some of the industry’s most respected individuals. We work with our business partners to increase their security posture, helping to reduce risk and impact in an ever-changing cyber landscape.