If you have family or friends that do not live around the corner but in another country or perhaps even on another continent, you probably know Skype. It’s one of the best known video chat messengers with several hundred million users worldwide. It’s free, it’s easy to use, and also offers a Business version for companies, called Skype for Business, once known as Microsoft Lync.
As most messengers it comes with an option to send emotes – which in this case also comes as its downfall: Spam too many of them (like 800 or so) and you will freeze the app.
Cutest Denial of Service attack ever
The vulnerability known as CVE-2018-8546 was discovered by Sec-Consults and affects Lync 2013 (15.0) 64-Bit which is part of Microsoft Office Professional Plus 2013 and Skype for Business 2016 MSO (16.0.93).64-Bit. All previous versions are vulnerable as well.
Using the exploit is as easy as pie – really. All you have to do is basically spam an incredible amount of emotes into the chat. 100 is a start, 400 is better, and according to the Sec-Consults 800 is the jackpot; Skype for business will freeze for a few seconds while trying to render the chat window. What doesn’t sound too bad in the beginning can be a real issue in the long run: if an attacker continuously spams messages with like 800 cat emotes into the chat the GUI basically becomes unusable for the user.
Video and sound streams not affected
There is an upside though: the sound and video stream is handled by a separate thread and therefore are not affected by the vulnerability.
Microsoft has already released a patch on its Patch Tuesday, so you update your Skype for Business as soon as possible. If that’s not possible for whatever reason there is also a workaround according to Sec-Consults: Disable emoticons in Skype for Business. You can do that by opening Tools -> Options -> IM -> Show emoticons in messages.