A denial of service vulnerability exists in Skype for Business clients. If the attacker sends you a huge amount of emojis, e.g. cute kittens. Depending on the actual amount of kitten emojis, you might notice a short lag in your application (starting with 100 emojis). When receiving about 800 kittens at once, your Skype for Business client will stop responding for a few seconds. If a sender continues sending emojis your Skype for Business client will not be usable until the attack ends.
Note that the denial of service would not allow an attacker to execute code or to elevate the attacker’s user rights. So the issue is more of an annoyance than a real risk. Attackers would also be easily traced and blocked since everything is TLS.
There is already an update for click to run and MSI
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546
Further information:
https://threatpost.com/emoji-attack-can-kill-skype-for-business-chat/139186/
https://nvd.nist.gov/vuln/detail/CVE-2018-8546
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8546
https://www.sec-consult.com/en/blog/2018/11/kitten-of-doom-patch-skype-for-business-immediately-cve-2018-8546/
