[German]There was a vulnerability in Microsoft Skype for Business that allowed a Denial of Service attack. Microsoft has released at least fixes for affected Skype for Business builds.
Affected: Skype for Business
Skype for Business is the instant messaging client that comes with Office and lets you make Skype calls. Earlier versions were offered under the names Microsoft Office Communicator and Lync. The following Skype features were affected by the vulnerability:
- Skype for Business 2015 (Lync 2013) vor v15.0.5075.1000
- Skype for Business 2016 vor v16.0.4756.1000
Tested were Lync 2013 (15.0) 64-bit (part of Microsoft Office Professional Plus 2013) and Skype for Business 2016 MSO (16.0.93) 64-bit. These clients ran on Windows 10 Pro during testing. The vulnerability and other details were described by Sabine Degen of SEC Consult Vulnerability Lab’s Vienna office on seclists.org.
The Vulnerability and the Proof of Concept
The attack could be carried out via a message to Skype for Business. All you had to do was embed a large number of emojis (e.g. ~800 kittens) in a Skype message. As a result, the receiving Skype client froze for a few seconds and could no longer be used.
This can be exploited to launch denial of service attacks against Skype for Business users. For example, an attacker can continuously send such messages to the Skype chat. The chat windows then freeze for all participants. They cannot use the chat or watch the video transmission.
The audio and video streams are processed by a separate thread and were therefore not affected. It only deals with the functions related to the graphical user interface, which becomes unusable.
An example of a message that could crash Skype for Business clients can be found on seclists.org.
Workaround and fixes
Microsoft has now fixed this vulnerability, although several attempts were necessary. After the bug was reported on August 2, 2018, the bug has been confirmed on August 28, 2018. As a workaround it was suggested from Microsoft to block the ‘attacking user’. At the end of August 2018, Microsoft decided to fix the bug – only after further inquiries.
Microsoft stated that it had fixed the vulnerability with updates on October 2, 2018 without giving any details. After further inquiries by the security researchers, Microsoft wrote, that updates KB4461446 and KB4092445 (see Microsoft Office-Updates (10/02/2018)) should fixes the issue.
When asked why the fix of the problem was not mentioned, Microsoft told the security researcher, that the update was released incorrectly, and should be released again in November 2018. In October 2018, CVE-2018-8546 was assigned to the bug. The clients were updated to the following versions:
- Skype for Business 2015 (Lync 2013) Version 15.0.5075.1000
- Skype for Business 2016 (KB4092445) Version 16.0.4756.1000