Tom Talks Microsoft Teams and Skype for Business thoughts and news

Avoid the “Kittens of Doom” Emoji Attack, patch your Skype for Business clients

image

A denial of service vulnerability exists in Skype for Business clients. If the attacker sends you a huge amount of emojis, e.g. cute kittens. Depending on the actual amount of kitten emojis, you might notice a short lag in your application (starting with 100 emojis). When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.

Note that the denial of service would not allow an attacker to execute code or to elevate the attacker’s user rights. So the issue is more of an annoyance than a real risk. Attackers would also be easily traced and blocked since everything is TLS.

There is already an update for click to run and MSI

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

 

Further information:

https://threatpost.com/emoji-attack-can-kill-skype-for-business-chat/139186/

https://nvd.nist.gov/vuln/detail/CVE-2018-8546

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

https://www.sec-consult.com/en/blog/2018/11/kitten-of-doom-patch-skype-for-business-immediately-cve-2018-8546/

About the author

Tom Arbuthnot

Tom Arbuthnot is Principal Solutions Architect at Unified Communications specialist Modality Systems. He is a Microsoft Certified Master and MVP, blogger, has a regular podcast with UCToday at tomtalks.show and is a regular speaker at events including Microsoft TechEd and Ignite. He co-runs The Microsoft UC User Group London.

Add comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Tom Talks Microsoft Teams and Skype for Business thoughts and news