Kiwi Security Expert Finds Flaw in Skype

A security flaw in Skype’s peer-to-peer voice-over-IP (VoIP) software has been closed, thanks to diligent work by a Kiwi security expert.

Brett Moore, chief technology officer of Australian independent security company Security-Assessment.com, uncovered the flaw in Skype’s software. Skype is now advising users to upgrade to its latest version to fix the bug.

Moore said the type of vulnerability found in Skype is fairly common with applications that interact with Internet browsers.

“We have previously discovered this type of vulnerability in two separate programs, and there are public releases of similar issues in other programs,” he said.

The security flaw manifests itself through the way Skype handles uniform resource identifiers (URIs) that point to names or addresses referring to resources.

Security-Assessment.com discovered that with one type of URI handler installed by Skype, it was possible to include additional command-line switches. One such switch will set up a file transfer session that will allow data written to the local hard disk to be sent to another Skype user.

For an attacker to successfully exploit the flaw, he must know the exact name and location of the file he wants to transfer on the victim’s computer. The attacker must also authorize the victim, Security-Assessment.com said. This is easily done, with the attacker simply adding the victim to his contact list.

There are further URI handler flaws in Skype, Security-Assessment.com said. Other command-line switches could be exploited to manipulate or obtain victims’ Skype user credentials.

Security-Assessment.com regularly performs application testing for its customers or as part of its own R&D, said Moore.

“In this case, we were reviewing Skype as part of a larger VoIP research program. Often we will notice what appears to be the potential for a vulnerability and investigate further.”

Moore said a targeted attack is required to exploit this particular vulnerability.

“The person to be exploited must be specifically selected, and they must be convinced to browse to a webpage or click on a hyperlink,” he said. “While there are certain mitigating factors involved in a successful attack, the potential is there for an attacker to steal confidential files, including the user’s Skype configuration.”

Theft of the Skype configuration could lead to further attacks such as ID theft, or listening in on users’ conversations, he said.

“The best solution is to install the vendor-supplied update,” Moore said.

“As always, users should be aware of malicious e-mails and e-mail attachments.”

When discovering security flaws, the company works directly with the vendor involved to help secure the software, Moore said.

“Skype was very happy to work with us on this issue. They phoned me shortly after receiving our security report and kept me up to date with their progress,” he said.

“During the patch development, they called me to discuss further details and sent me a pre-release install to verify that they had fixed the problem.”

Moore was a little surprised to find the bug in Skype because it has already undergone independent security reviews, and also because of the large numbers of users.

Keep checking in at our Security Feed page, or subscribe via RSS, for updated news coverage.

By Ulrika Hedquist and Juha Saarinen, Computerworld New Zealand Online