Skype emojis Patch#
Microsoft issued a fix for CVE-2018-8546 in this week’s Patch Tuesday update. Attack motivations could range from competitive dirty dealing (a competitor firm could troll executive clients, for example), to intra-office politicking (reducing the productivity of a rival department, for instance). However, as Sec-Consult pointed out, the availability of tools such as Lync and Skype for Business is a key part of how organizations function on a daily basis. Also, this affects only the chat feature the audio and video features in Skype for Business are handled by a separate, non-vulnerable thread. The attack seems more made for pranks than anything else at first blush the DoS state is after all not persistent, and only lasts as long as the kittens (or other emojis) keep coming.
Skype emojis plus#
The latter is vulnerable in the (15.0) 64-bit version, which is part of Microsoft Office Professional Plus 2013 or before. Not all clients freeze upon the arrival of 800 kittens of doom: The flaw affects only Skype for Business 2016 MSO (16.0.93) 64-bit or before and the Skype for Business precursor, Microsoft Lync 2013. The attack vector is simple too: A malicious sender can just invite the target to join a meeting or, he or she could contact someone directly via Skype. “If a sender continues sending emojis, your Skype for Business client will not be usable until the attack ends.” At 800 kittens though, an attacker hits pay dirt: “Your Skype for Business client will stop responding for a few seconds,” the firm said, in a post this week. They found that starting at 100 emojis, the application will start to lag, and from there will become slower and slower as more emojis are sent. The researchers used the cute kitten emoji to demonstrate the attack (which also allowed the firm to name the attack “Kitten of Doom”). An attacker needs only to start blasting the target victim’s Skype for Business or Lync client with hundreds of emojis at once, in order to render it useless. A denial of service (DoS) vulnerability in the Skype for Business unified communications platform has been uncovered, which can be triggered by sending large numbers of emojis to the instant messaging client.Īccording to the SEC Consult Vulnerability Lab, which discovered the flaw (CVE-2018-8546), mounting an attack could not be easier.