• United States



by Paul Kerstein

Skype Patches Critical Flaws

Oct 26, 20053 mins
CSO and CISOData and Information Security

Skype users are being urged to upgrade to the latest version of thepopular Internet telephony client, thanks to a number of critical flawsin the software that were disclosed Tuesday by Skype’s maker, SkypeTechnologies SA.

If exploited, two of the flaws could allow attackers to take over aSkype user’s system, the company said in an advisory published Tuesday.These flaws affect a number of Windows versions of the software rangingbetween version 1.1 to 1.4, the statement said.

The first of these flaws could be exploited by tricking a Skype user toclick on a specially-crafted URL, while the second would require aSkype user to import a malicious vCard. VCard is an electronic businesscard format used by some e-mail programs.

Security research firm Secunia has rated the flaws “highly critical,”and listed a third type of error, which affects Mac OS and Linuxclients as well, that could be exploited to crash the Skype client. TheSecunia advisory also tells users to update to the latest version ofthe software.

At this time there is no known malicious software that takes advantage of these bugs, according to Secunia.

Though it has not been the target of a widespread attack to date, Skypehas a number of characteristics that market it increasingly attractiveto attackers, said Tom Newton, a product development manager withfirewall vendor SmoothWall Ltd.

“It’s difficult to control from a network administrator point of view,and we’re left with an extremely homogenous environment,” he said.”Once everybody is running the same code, it becomes much moreprofitable for miscreants and wrongdoers to affect our computers.”

Skype Technologies says there are now 61 million registered Skypeusers, more than enough to attract the attention of hackers, accordingto Newton.

EBay Inc.’s planned acquisition of Skype Technologies and thepossibility that the client will play a role in online commerce onlymakes a Skype attack more appealing, he added. “The attack is yet tocome. I don’t doubt that something will happen,” Newton said. “Thescale of it is up for debate.”

In fact, hackers are have already begun paying attention to Skype, evenif they have yet to launch a widespread attack. Earlier this monthattackers began sending out malicious “Trojan horse” code in the formof e-mail attachments that claimed to contain version 1.4 of the Skypeclient.

Skype’s security advisory can be found here:

The Secunia advisory is here:

By Robert McMillan – IDG News Service (San Francisco Bureau)