A denial of service (DoS) vulnerability in the Skype for Business unified communications platform has been uncovered, which can be triggered by sending large numbers of emojis to the instant messaging client.
According to the SEC Consult Vulnerability Lab, which discovered the flaw (CVE-2018-8546), mounting an attack could not be easier. An attacker needs only to start blasting the target victim’s Skype for Business or Lync client with hundreds of emojis at once, in order to render it useless.
The researchers used the cute kitten emoji to demonstrate the attack (which also allowed the firm to name the attack “Kitten of Doom”). They found that starting at 100 emojis, the application will start to lag, and from there will become slower and slower as more emojis are sent. At 800 kittens though, an attacker hits pay dirt: “Your Skype for Business client will stop responding for a few seconds,” the firm said, in a post this week. “If a sender continues sending emojis, your Skype for Business client will not be usable until the attack ends.”
The attack vector is simple too: A malicious sender can just invite the target to join a meeting; or, he or she could contact someone directly via Skype.
Not all clients freeze upon the arrival of 800 kittens of doom: The flaw affects only Skype for Business 2016 MSO (16.0.93) 64-bit or before; and the Skype for Business precursor, Microsoft Lync 2013. The latter is vulnerable in the (15.0) 64-bit version, which is part of Microsoft Office Professional Plus 2013 or before.
The attack seems more made for pranks than anything else at first blush; the DoS state is after all not persistent, and only lasts as long as the kittens (or other emojis) keep coming. Also, this affects only the chat feature; the audio and video features in Skype for Business are handled by a separate, non-vulnerable thread.
However, as Sec-Consult pointed out, the availability of tools such as Lync and Skype for Business is a key part of how organizations function on a daily basis. Attack motivations could range from competitive dirty dealing (a competitor firm could troll executive clients, for example), to intra-office politicking (reducing the productivity of a rival department, for instance).
Microsoft issued a fix for CVE-2018-8546 in this week’s Patch Tuesday update. For those that don’t have the option to patch the system, workarounds include disabling emojis in the Skype for Business client (Tools -> Options -> IM -> Show emoticons in messages) and setting the privacy options so that only people from one’s contact list can send messages.
A similar issue was also found back in 2015, where multiple animated emoticons would cause a client’s CPU usage to skyrocket, the firm added.