Skip to content
Naked Security Naked Security

Patch Skype for Business now or risk DoS via emoji kittens!

So cute! So grabby with the bandwidth!

For the second time in three years, there’s a vulnerability in Microsoft Skype that could get communications tangled up in bouncy little kitten emojis (or any other kind of animated emojis, for that matter).
SEC Consult reported last week that it had discovered that launching 100 animated emojis (the security firm chose to focus on kittens, because, we assume, KITTENS) at Skype for Business caused it to flutter, triggering a short lag in the application.
Throwing 800 animated emojis at the app turned the emoji marauders into the forces of darkness in a denial of service (DoS) attack, causing Skype to keel…
…well, for a few seconds, anyway. Even so, if your business depends on Skype to hold staff conferences, client calls or any other form of communication, you should hop on the patch installation. Microsoft issued a patch for the vulnerability – CVE-2018-8546 – which affects Office 365 ProPlus, Microsoft Office, Microsoft Lync, and Skype.
It’s a good idea to install that patch. You don’t want some jerk – like, say, a disgruntled ex-employee – to lob gobs of nonstop kittens at your operation. If such a jerk were to keep it up, a business would be up a creek without a paddle, says SEC Consult:

When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.

This has happened before: in 2015, Skype for Business had the same kind of emoji-overload vulnerability. As SEC Consult put it, multiple animated emoticons would “cause a client’s CPU usage to go through the roof.”
The fix for the 2015 vulnerability was simple: close the conversation windows. You couldn’t stop your CPU from draining away while they were open. Once they’d been closed, users could then turn off emoticon animation in the Option dialog box.
This time around, Microsoft didn’t identify any workarounds or mitigating factors. Could be that it wasn’t worth the effort: Microsoft corrected the manner in which Skype for Business handles emojis and got the patch out lickety-split.

Who’s affected

SEC put up this proof of concept to check whether or not your client freezes upon receiving a dumpster truck worth of emojis. Then again, you could just check whether your client is:

  • Skype for Business 2016 MSO (16.0.93).64-Bit or before, or
  • Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013 or before, and
  • Running on Windows.

It might not seem like a terribly risky vulnerability or a particularly important patch, but most businesses that rely on Skype for Business or Lync are either small (41%) or medium-sized (19%).
Installing patches isn’t a trivial task. But neither is dealing with a DoS attack that hits a sales team, SEC points out: do small organizations with limited security and IT staff really need that kind of panic attack?

If you are responsible for the IT and/or security in your company, constant patch management is key. How much would it cost you if your sales team fell victim of a Denial of Service attack? How long would it take your IT department to put an end to it (if they are able to do so without compromising your productivity)? You’ll do the math.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!