High-risk flaws in Skype

Attackers could cause a denial-of-service attack or launch malicious code by exploiting vulnerabilities in the Internet telephony software. But fixes are available.

Skype Technologies S.A. recommends users update their software to fix "high-risk" security holes attackers could exploit to cause a denial-of-service or launch malicious code. The vulnerabilities affect Skype software for Windows, Mac OS X, Linux and Pocket PC.

The Luxembourg-based Internet telephony service provider, which allows users to make free calls between computers or low-cost calls to regular telephones not connected to the Internet, said one problem is that "Skype can be made to execute arbitrary code through a buffer overflow when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://." Skype could also be used to launch malicious code "during importation of a VCARD that is in a specific non-standard format."

This issue affects Skype 1.1.*.0 through 1.4.*.83 for Windows, the vendor said.

Another problem is a heap overflow condition in the networking routine. "Skype can be remotely forced to crash due to an error in bounds checking in a specific networking routine," Skype said in its advisory. "An attacker who sends a stream of specifically crafted network traffic to a Skype client network can cause the client to overwrite part of the heap, including the heap integrity control data."

Since the attacker can't control the address where the data is written, "the most likely effect will be that the Skype will abort execution due to an internal error, although other unpredictable behavior is possible," the advisory said. "Such a crash will lead to a loss of availability of the Skype application until it is restarted by the user."

This issue affects all Skype releases prior to and including 1.4.*.83 for Windows, all releases prior to and including 1.3.*.16 for Mac OS X; all releases prior to and including 1.2.*.17 for Linux; and all releases prior to and including 1.1.*.6 for Pocket PC.

The fixes come a week after New York-based e-mail security firm MessageLabs Ltd. warned that a new variant of the IRCbot Trojan horse was taking aim at Skype users. The Trojan, also known as Fanbot, was distributed by e-mail, disguised as the newest Skype release -- version 1.4 -- which came out Oct. 10.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close