Skype patches high-risk flaw, says sorry for not telling us

Summary:The specific flaw exists within the 'skype4com' URI handler created by Skype during installation. When processing short string values through this handler an exploitable memory corruption may occur which can result in arbitrary code execution under the context of the current user.

Skype patches high-risk flaw, says sorry for not telling us
Internet phone company Skype has issued a patch for a high-risk vulnerability affecting Windows users but, strangely, a public acknowledgment of the flaw comes a full month after the release of the fix.

An advisory  from TippingPoint's Zero Day Initiative spells out the seriousness of this issue:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Skype. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

The specific flaw exists within the 'skype4com' URI handler created by Skype during installation. When processing short string values through this handler an exploitable memory corruption may occur which can result in arbitrary code execution under the context of the current user.

[ SEE: Rogue anti-malware lures squirming through Skype ] The vulnerability was patched in the public release of Skype 3.6 for Windows meaning that all versions of Skype for Windows updated or installed as of November 15 include the patch.

However, Skype's security team never announced the fix until today, due to what is described as an "unintentional communication oversight."

"All we can do now is to apologize," says Skype's Villu Arak.

Topics: Windows, Collaboration, Operating Systems, Security, Social Enterprise, Software

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.