Skip to content

Avoid the “Kittens of Doom” Emoji Attack, patch your Skype for Business clients

image

A denial of service vulnerability exists in Skype for Business clients. If the attacker sends you a huge amount of emojis, e.g. cute kittens. Depending on the actual amount of kitten emojis, you might notice a short lag in your application (starting with 100 emojis). When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.

Note that the denial of service would not allow an attacker to execute code or to elevate the attacker’s user rights. So the issue is more of an annoyance than a real risk. Attackers would also be easily traced and blocked since everything is TLS.

There is already an update for click to run and MSI

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

 

Further information:

https://threatpost.com/emoji-attack-can-kill-skype-for-business-chat/139186/

https://nvd.nist.gov/vuln/detail/CVE-2018-8546

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546

https://www.sec-consult.com/en/blog/2018/11/kitten-of-doom-patch-skype-for-business-immediately-cve-2018-8546/

Published inskypeforbusiness

Be First to Comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.