Internet phone company Skype has issued a patch for a high-risk vulnerability affecting Windows users but, strangely, a public acknowledgment of the flaw comes a full month after the release of the fix.
An advisory from TippingPoint's Zero Day Initiative spells out the seriousness of this issue:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Skype. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
The specific flaw exists within the 'skype4com' URI handler created by Skype during installation. When processing short string values through this handler an exploitable memory corruption may occur which can result in arbitrary code execution under the context of the current user.
[ SEE: Rogue anti-malware lures squirming through Skype ] The vulnerability was patched in the public release of Skype 3.6 for Windows meaning that all versions of Skype for Windows updated or installed as of November 15 include the patch.
However, Skype's security team never announced the fix until today, due to what is described as an "unintentional communication oversight."
"All we can do now is to apologize," says Skype's Villu Arak.