Home > Security News > High-risk flaws in Skype
Security News:
EMAIL THIS LICENSING & REPRINTS

High-risk flaws in Skype

By Bill Brenner, News Writer
25 Oct 2005 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Skype Technologies S.A. recommends users update their software to fix "high-risk" security holes attackers could exploit to cause a denial-of-service or launch malicious code. The vulnerabilities affect Skype software for Windows, Mac OS X, Linux and Pocket PC.

The Luxembourg-based Internet telephony service provider, which allows users to make free calls between computers or low-cost calls to regular telephones not connected to the Internet, said one problem is that "Skype can be made to execute arbitrary code through a buffer overflow when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://." Skype could also be used to launch malicious code "during importation of a VCARD that is in a specific non-standard format."

This issue affects Skype 1.1.*.0 through 1.4.*.83 for Windows, the vendor said.

Another problem is a heap overflow condition in the networking routine. "Skype can be remotely forced to crash due to an error in bounds checking in a specific networking routine," Skype said in its advisory. "An attacker who sends a stream of specifically crafted network traffic to a Skype client network can cause the client to overwrite part of the heap, including the heap integrity control data."

Since the attacker can't control the address where the data is written, "the most likely effect will be that the Skype will abort execution due to an internal error, although other unpredictable behavior is possible," the advisory said. "Such a crash will lead to a loss of availability of the Skype application until it is restarted by the user."

This issue affects all Skype releases prior to and including 1.4.*.83 for Windows, all releases prior to and including 1.3.*.16 for Mac OS X; all releases prior to and including 1.2.*.17 for Linux; and all releases prior to and including 1.1.*.6 for Pocket PC.

The fixes come a week after New York-based e-mail security firm MessageLabs Ltd. warned that a new variant of the IRCbot Trojan horse was taking aim at Skype users. The Trojan, also known as Fanbot, was distributed by e-mail, disguised as the newest Skype release -- version 1.4 -- which came out Oct. 10.

Sound Off! -   Be the first to post a message to Sound Off!


Tags: VoIP SecurityVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts