Crash Skype for Business by sending a large number of emojis 800+ kittens in one message and the client freezes the program for a few seconds. This can be exploited to perform Denial of Service attacks against Skype for Business users and compromises the availability of the program.
How would an attacker go about performing this attack? Well its quite simple, the attacker can continuously send many messages to the chat window and it will freeze the program for all participants in the meeting room and prevent them from using the chat or seeing the video.
Are you affected?
You could send yourself a few hundred emojis and see if your client freezes but we wouldn’t recommend it. Plus, there is an easier way. Just check if your client is one of these:
- Skype for Business 2016 MSO (16.0.93).64-Bit or before
- Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013 or before
- Running on Windows
How to fix it
Please install the latest patch supplied by Microsoft and make sure your system is up to date, in general. Spread this article with people in your network, so they know about it too:
Apply the security patches provided for skype.
- Skype for Business 2015 (Lync 2013) version 15.0.5075.1000
- Skype for Business 2016 (KB4092445) version 16.0.4756.1000
The following links have information to remedy the issue:
- Want to know more? Visit Sec-Consult for more details.