Skype Technologies S.A. recommends users update their software to fix "high-risk" security holes attackers could exploit to cause a denial-of-service or launch malicious code. The vulnerabilities affect Skype software for Windows, Mac OS X, Linux and Pocket PC.
The Luxembourg-based Internet telephony service provider, which allows users to make free calls between computers or low-cost calls to regular telephones not connected to the Internet, said one problem is that "Skype can be made to execute arbitrary code through a buffer overflow when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://." Skype could also be used to launch malicious code "during importation of a VCARD that is in a specific non-standard format."
This issue affects Skype 1.1.*.0 through 1.4.*.83 for Windows, the vendor said.
Another problem is a heap overflow condition in the networking routine. "Skype can be remotely forced to crash due to an error in bounds checking in a specific networking routine," Skype said in its advisory. "An attacker who sends a stream of specifically crafted network traffic to a Skype client network can cause the client to overwrite part of the heap, including the heap integrity control data."
Since the attacker can't control the address where the data is written, "the most likely effect will be that the Skype will abort execution due to an internal error, although other unpredictable behavior is possible," the advisory said. "Such a crash will lead to a loss of availability of the Skype application until it is restarted by the user."
This issue affects all Skype releases prior to and including 1.4.*.83 for Windows, all releases prior to and including 1.3.*.16 for Mac OS X; all releases prior to and including 1.2.*.17 for Linux; and all releases prior to and including 1.1.*.6 for Pocket PC.
The fixes come a week after New York-based e-mail security firm MessageLabs Ltd. warned that a new variant of the IRCbot Trojan horse was taking aim at Skype users. The Trojan, also known as Fanbot, was distributed by e-mail, disguised as the newest Skype release -- version 1.4 -- which came out Oct. 10.