CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
June 5th, 2008

Skype File URI Security Bypass Code Execution Vulnerability

Skype has released a security bulletin to address a remote vulnerability. This vulnerability is due to an error in the handling of “file:” URIs. By convincing a user to click on a specially crafted “file:” URI, a remote, unauthenticated attacker may be able to execute arbitrary code. Upon clicking, the malicious link execution of arbitrary code on the victim’s machine will be possible.

URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted executable file extension a security warning dialog is shown to the user. The check is performed using the case sensitive comparison. Another flaw in this check is that the blacklist fails to mention all potential executable file formats. This allows an attacker to bypass this security policy and execute arbitrary code if a victim clicks an attacker supplied URL.

All versions prior to and including 3.8.*.115 of Skype for Windows are vulnerable to this attack. Skype has fixed the vulnerability in version 3.8.0.139

Users should review Skype security bulletin SKYPE-SB/2008-003 and upgrade to Skype version 3.8.0.139. The preferred method for installing security updates is to download the software directly from Skype’s website, from the website of Skype’s authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download.

Share this item with others:

More on CyberInsecure:
  • Mozilla Releases Firefox 2.0.0.16 With Two Security Updates
  • Skype Encrypted Instant Messages Can Be Eavesdropped
  • Skype Eavesdropping Trojan Code Released By Developer
  • Critical Flaws Patched By Apple in QuickTime 7.5 Update
  • 68 Fixes In Apple Update 10.5.3 and Apple Security Update 2008-003

    • Posted in Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Thursday, June 5th, 2008 at 8:38 pm and is filed under Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Skype File URI Security Bypass Code Execution Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « «
    » »