Kitten Of Doom – Why You Should Patch Skype For Business Immediately

vulnerability

Vulnerability in Skype for Business might lead to DoS attack (using a few hundred emojis) in unpatched clients. Update now!

cats in chat

Communication is key, more than ever. With the digital era, companies started to benefit from significant productivity gains and enhanced customer experience at low cost. But what if someone took away your key? What if you wanted to start an important conference call for that desperately needed business venture or your support staff can’t answer clients’ support calls to talk them through delicate bug fixing issues on their computers?

Application Security As A Quality Aspect

A few months ago, the SEC Consult Vulnerability Lab discovered a denial of service (DoS) vulnerability in Skype for Business and Lync 2013. Namely, if one were to send a certain amount of emojis, one could force the recipient’s Skype for Business client to stop working. Our research shows, that a similar issue already occurred in early 2015. Back then, multiple animated emoticons would cause a client’s CPU usage to go through the roof. The issue was resolved within only one patch cycle, which is extremely fast for big software development companies nowadays.

Threat evaluation

With customer service demands higher than ever and companies working in remote teams across the globe, the permanent availability of tools such as Lync and Skype for Business is crucial to pull in sales. In February 2012 (yes that long ago), an amazing 90% of the Fortune-100 and 70% of the Fortune-500  companies were already using Microsoft Lync, also known as Skype for Business. All the call center agents, support staff and remote teams are expected to exceed 100 million enterprise seats by the end of 2018.

Due to the wide-spread use of the program today, a responsible disclosure process with Microsoft was triggered upon and a dedicated patch to fix the vulnerability was issued and included as a security update within Patch Tuesday of November 2018.

How Does The Dos Attack In Skype For Business Work?

A (malicious) sender invites you to join a meeting or simply contacts you via Skype and sends you a huge amount of emojis, e.g. cute kittens. Depending on the actual amount of kitten emojis, you might notice a short lag in your application (starting with 100 emojis).

When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.

Risk assessment: Am I affected?

Of course, you could use our proof of concept to check, whether or not your client freezes upon receival of a few hundred emojis. But we wouldn’t recommend it. Plus, there is an easier way. Just check if your client is one of these

  • Skype for Business 2016 MSO (16.0.93).64-Bit or before
  • Lync 2013 (15.0) 64-Bit part of Microsoft Office Professional Plus 2013 or before
  • Running on Windows

How To Fix It And Prevent Further Attacks

Please install the latest patch supplied by Microsoft and make sure your system is up to date, in general. Spread this article with people in your network, so they know about it too:

Patch management: Reducing the risk of security incidents

If you are responsible for the IT and/or security in your company, constant patch management is key. How much would it cost you if your sales team fell victim of a Denial of Service attack? How long would it take your IT department to put an end to it (if they are able to do so without compromising your productivity)? You’ll do the math.

There are only two days you can’t improve the security status of your network: yesterday and tomorrow. Since your network is not trustworthy per default, today really is the best day to implement important system-securing measures. Don’t hesitate to get in touch with experts from the SEC Consult Vulnerability Lab to get a head start on Secure system administration, patch management and better detection of security incidents in your network.

Preventive measures against security gaps

Unfortunately, patching a system is a huge hassle for a lot of companies, regardless of their size. If you take a look at the annual revenue of companies using Skype for Business or Lync, 41% are “small” (<$50M annual revenue), 19% are medium-sized and 29% are large (>$1000M annual revenue).

If patching your system is not an option or you already spotted the first phishing mail in your inbox, inviting you to join a meeting your client might literally not survive, there is a workaround:

  • Block the malicious sender.
  • Disable emojis in your Skype for Business client.
  • Set appropriate privacy options in your Skype for Business settings, so only people from your contact list can send you messages. If a Skype for Business account of someone in your contact list gets hacked (e.g. due to a weak password), this isn’t applicable.

Note: you might not be able to do neither of the options described so far, once the attack has started, simply because your client will be unresponsive before you get to your contact list or application settings. So this workaround really is only applicable as a preventive solution.

 

Related Research

More vulnerabilities from the SEC Consult Vulnerability Lab

 

 

This research was done by Sabine Degen on behalf of SEC Consult Vulnerability Lab and was also published as a security advisory.