News

[PSUs]

Wednesday 26th October 2005

Critical security vulnerability found in Skype 10:26AM, Wednesday 26th October 2005

A highly critical security vulnerability has been discovered in various flavours of the Skype IP telephony software.

A boundary error exists when handling Skype-specific URI types such as 'callto://' and 'skype://'. This can be exploited to cause a buffer overflow and allows arbitrary code execution when the user clicks on a specially-crafted Skype-specific URL.

According to Secunia, the vulnerability is related to a boundary error in the handling of VCARD imports. It can be exploited to cause a buffer overflow and allows arbitrary code execution when the user imports a specially-crafted VCARD. There can also be annother boundary error in the handling of certain unspecified Skype client network traffic, which can be exploited to cause a heap-based buffer overflow. For more information go to secunia.com/advisories/17305/.

Users of Skype for Linux, Mac OS X, Pocket PC and Windows should update to the latest version at www.skype.com/download.

Simon Aughton

Submit to: Digg | Slashdot | Del.icio.us | Technorati

Read comments: 3

Add comments

Email a friend