Skype patches high-risk flaw, says sorry for not telling us

Skype patches high-risk flaw, says sorry for not telling us

Summary: The specific flaw exists within the 'skype4com' URI handler created by Skype during installation. When processing short string values through this handler an exploitable memory corruption may occur which can result in arbitrary code execution under the context of the current user.

SHARE:

Skype patches high-risk flaw, says sorry for not telling usInternet phone company Skype has issued a patch for a high-risk vulnerability affecting Windows users but, strangely, a public acknowledgment of the flaw comes a full month after the release of the fix.

An advisory  from TippingPoint's Zero Day Initiative spells out the seriousness of this issue:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Skype. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

The specific flaw exists within the 'skype4com' URI handler created by Skype during installation. When processing short string values through this handler an exploitable memory corruption may occur which can result in arbitrary code execution under the context of the current user.

[ SEE: Rogue anti-malware lures squirming through Skype ] The vulnerability was patched in the public release of Skype 3.6 for Windows meaning that all versions of Skype for Windows updated or installed as of November 15 include the patch.

However, Skype's security team never announced the fix until today, due to what is described as an "unintentional communication oversight."

"All we can do now is to apologize," says Skype's Villu Arak.

Topics: Windows, Collaboration, Operating Systems, Security, Software, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • There is a point...

    when giving this information to bloggers can be a detriment, because of the
    sensationalization it is given. So it can actually be more responsible to not disclose
    something rather than prematurely draw unnecessary attention to it. You have to
    admit you guys can be over the top with your "reporting" sometimes.
    CowLauncher
  • Skype (beta) for Linux 2.0.0.27 is out!

    (replaces 2.0.0.13 and includes video support)

    Patch that Skype folks, whatever platform you have, and be safe!
    D T Schmitz
  • No Customer Support No Refunds

    Skype is less than worthless as company that has No Customer Support.Try calling them.... and now this, I removed all traces of it months ago
    DadsDrive
  • RE: Skype patches high-risk flaw, says sorry for not telling us

    After 1 week using SKYPE 3.6 I have one MAJOR issue!

    NO SUPPORT! NONE... It took seven days to figure out why I wasn't receiving video! This new version has "Video on screen" turned off by default!! Good luck finding the screen to enable it, EVERY TIME!

    Email support was useless! "If your "DXDIAG" report doesn't show the latest build, contact Microsoft support"! XP never does! So their solution is to go to MS &ell at $298.00 per hour! 9.0c xxxxxx is all anyone gets!

    Not a viable source for a paying customer!! If you can figure out the free stuff, OK. They're way too big.
    RS9
  • RE: Skype patches high-risk flaw, says sorry for not telling us

    Don't know what you are bitching about.. They patched it a while ago, and you are complaining because you have been more secure than you thought!? BooHoo!!
    klockksr@...
  • RE: Skype patches high-risk flaw, says sorry for not telling us

    well they found the fault and fixed it ,so whats the beef john
    vk4cma@...
  • Why not make automatic notification for such major fixes?

    I am not a techie like most of the folks on these forums, but I would have imagined that anything this significant could have been the subject of an automatic update alert.

    Following this story, I checked my Skype version, and it's version 3.5.0.234. When I checked for updates, I was informed a major update is available.

    Anyway, I think Skype should rethink its update notification policy.
    ekMont