SEC Consult Vulnerability Lab uncovered the vulnerability and Microsoft has since coded it as CVE-2018-8546. Unfortunately, this flaw is filed under “major problem”, not least because SEC says it is very easy to implement. Indeed, all an attacker needs to do is start spamming a Skype for Business account with hundreds of emojis. This will make the Skype account useless, essentially crashing the app. To test the theory, SEC conducted a proof-of-concept (PoC). Using the cute kitten emoji (hence the Kitten of Doom moniker), the team spammed 100 emojis to start. This was enough to cause the Skype for Business app to lag. Adding more and more emojis resulted in the app becoming increasingly slow. SEC says 800 was the magic number of kittens to get the app to crash: “Your Skype for Business client will stop responding for a few seconds,” the firm said, in a post this week. “If a sender continues sending emojis, your Skype for Business client will not be usable until the attack ends.” The vector for attack is also very easy. Bad actors send a single invite for the target user to join a meeting or make direct message contact. It is worth noting that 800 Kitten of Doom emojis do not freeze the app on all versions.
Pranks and Fix
While the attack is simple, there is one significant positive here. Namely, there is no malicious content, so this attack seems to be solely to be used as a prank. So, it will be frustrating for users as it will make their app crash, but the affects should not be lasting. It is also worth pointing out that Microsoft sent out a fix for the bug with last week’s Patch Tuesday cumulative updates.