discovered by Sec-Consults and affects Lync 2013 (15.0) 64-Bit which is part of Microsoft Office Professional Plus 2013 and Skype for Business 2016 MSO (16.0.93).64-Bit. All previous versions are vulnerable as well.
Using the exploit is as easy as pie – really. All you have to do is basically spam an incredible amount of emotes into the chat. 100 is a start, 400 is better, and according to the Sec-Consults 800 is the jackpot; Skype for business will freeze for a few seconds while trying to render the chat window. What doesn’t sound too bad in the beginning can be a real issue in the long run: if an attacker continuously spams messages with like 800 cat emotes into the chat the GUI basically becomes unusable for the user.
There is an upside though: the sound and video stream is handled by a separate thread and therefore are not affected by the vulnerability.
Microsoft has already released a patch on its Patch Tuesday, so you update your Skype for Business as soon as possible. If that’s not possible for whatever reason there is also a workaround according to Sec-Consults: Disable emoticons in Skype for Business. You can do that by opening Tools -> Options -> IM -> Show emoticons in messages.