Major Skype Vulnerability Found

Spike · #1 (**permalink**) 05-22-2006, 11:33 AM

VoIP provider Skype rolled out an update Friday to quash a bug that can let attackers send a file to a recipient without his or her consent, and potentially obtain access to the computer and its data.

The vulnerability, which Danish bug tracking firm Secunia rated as "moderately critical," is in the VoIP software's parsing of URLs. A malformed link -- sent in a Skype message, for instance -- can begin the transfer of a file from attacker to recipient, who does not need to have "explicitly consented to the action," Skype said in an advisory.

The transfer, however, would be seen by the recipient. "If a file transfer is started, it will be visible to the user and may be cancelled by the sender by selecting 'Cancel' in the normal way," the alert continued.

All versions of Skype for Windows prior to and including 2.0.*.104, as well as the beta 2.5.*.0 to and including 2.5.*.78, are vulnerable. Skype told users that they should update to patched versions -- 2.0.0.105 and the beta 2.5.0.82 -- from the Web site as soon as possible.

Depending on how users have set up Skype, the program may also automatically check for the update, and alert the user.

Skype's been hit with bugs before, including critical flaws found and fixed in October 2005 and November 2004.

Earlier this week, Skype launched a special promotion that lets U.S. and Canadian users make calls to landline and mobile numbers for free through the end of 2006.

Source: InformationWeek.com

MrEggsalad · #2 (**permalink**) 05-22-2006, 04:24 PM

Thanks for posting this, it really helped me out, I never would have found about this elsewise.

Eagle_Kiwi · #3 (**permalink**) 05-22-2006, 06:50 PM

Ditto! Thanks Spike. :-)
I'm off to upgrade now - though the "threat" doesn't exactly fill me with trembling. ;-)

Eagle_Kiwi · #4 (**permalink**) 05-22-2006, 06:55 PM

P.S. I HAD Beta 2.5.0.72 - and it didn't warn me.
What's more, I then ASKED it to Check for Updates - it said there were none!

So, I've gone to Skype.com myself and downloaded the new Beta (82) with no problem.

Haza · #5 (**permalink**) 05-25-2006, 03:25 AM

I have the same problem as Eagle_Kiwi.

I had 2.5.0.72 and Check for Update told that I have latest version of Skype. Today I checked www.skype.com for updates and there were new beta 2.5.0.91 available. I used Check for Update which told me I have latest version of Skype. I changed update settings to download automatically and checked again and still nothing.

I had problems with check for update in previous versions of Skype
(1.3, 1.4 and 2.0) which had that simple web update check. I think there was delay from few days to a week with check for updates after the new version was available in download page.

So my conclusion is that Skype is trying to reduce simultaneous downloads with this “feature”. I have to say that Skypes policy really sucks! I just don’t think this is acceptable way in case of security vulnerabilities.

THE BASICS About us BigBlueBall Blog Contact us	NEWS & REFERENCE Instant Messaging Social Networks Mobile Tech View all categories	DISCUSSION FORUMS Instant Messaging Social Networks Mobile Tech Computer Support View all forums	COMMUNITY Fan us on Facebook Follow us on Twitter Bookmark us on Delicious Subscribe to our RSS feed BigBlueBall badges	CONTRIBUTE Advertise on BigBlueBall Write for us Report a site bug
	Copyright © 2000-2009 BigBlueBall · All rights reserved · Privacy Powered by vBulletin® Copyright ©2000 - 2009, Jelsoft Enterprises Ltd. · Search Engine Friendly URLs by vBSEO 3.2.0

Currently Active Users Viewing This Topic: 1 (0 members and 1 guests)