Tom Talks Microsoft Teams and Microsoft 365 Collaboration news and opinions

Avoid the “Kittens of Doom” Emoji Attack, patch your Skype for Business clients

image

A denial of service vulnerability exists in Skype for Business clients. If the attacker sends you a huge amount of emojis, e.g. cute kittens. Depending on the actual amount of kitten emojis, you might notice a short lag in your application (starting with 100 emojis). When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.

Note that the denial of service would not allow an attacker to execute code or to elevate the attacker’s user rights. So the issue is more of an annoyance than a real risk. Attackers would also be easily traced and blocked since everything is TLS.

There is already an update for click to run and MSI

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

 

Further information:

https://threatpost.com/emoji-attack-can-kill-skype-for-business-chat/139186/

https://nvd.nist.gov/vuln/detail/CVE-2018-8546

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

https://www.sec-consult.com/en/blog/2018/11/kitten-of-doom-patch-skype-for-business-immediately-cve-2018-8546/

About the author

Tom Arbuthnot

A Microsoft MVP and Microsoft Certified Master, Tom Arbuthnot is Principal Solutions Architect at Microsoft Collaboration specialists Modality Systems.

Tom stays up to date with industry developments and shares news and his opinions on his blog, Microsoft Teams Podcast and email list. He is a regular speaker at events around the world.

Add comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Tom Talks Microsoft Teams and Microsoft 365 Collaboration news and opinions