DoS & Memory Corruption Vulnerabilities found in Skype Empresarial v16.0.10730.20053

A denial of service vulnerability has been found in the Skype Empresarial Office 365 version 16.0.10730.20053. It was first discovered by Samuel Cruz on the 20th of August, 2018. According to the information brought forward by Cruz, this particular vulnerability was only tested on version 16.0.10703.20053 of Skype Empresarial. Furthermore, it was tested on the Windows 10 Pro x64 spanish home operating system platform. It is not known yet whether this vulnerability affects other versions of Skype Empresesarial as well and whether other it acts on the determined affected versions on other operating systems / versions as well.

According to the information shed light upon by Cruz, the crash occurs as follows. Firstly, you must run the python code: python Next, you must open the SkypeforBusiness.txt and copy the contents of the file out onto your device’s clipboard. After this step is complete, you should launch Skype for Business as usual and paste what you copied on the clipboard earlier from the text file. Once this is pasted in, it causes a denial of system crash on the device, causing Skype to stop working and crash upon any manipulation.

In addition to this bug, it is also found just a few hours ago that the software has a flaw through which data and media content shared between two skype users can cause the application to crash. This means that the same vulnerability can be exploited remotely if a malicious user sends counterfeit such files through the application to another user, prompting the same kind of denial of service reaction through memory corruption. This second memory corruption vulnerability is found to affect Skype for linux: skypeforlinux_8.27.0.85_amd64.deb.

This remotely exploitable flaw in Skype described above demands that the malicious attacker connect a call with the victim user and then simultaneously send the malicious files across through the platform’s messaging service. In the case of both the locally exploitable python vulnerability and the remotely exploitable glitch operating upon the same principle, no mitigation instructions or advisories are available yet. No statement has been released by Microsoft regarding this issue as of yet.