Skype fixes critical security flaw

Skype fixes critical security flaw

Summary: The VoIP company has faced criticism for its handling of a major security hole, while also coming under fire for allegedly ignoring users' bug reports

TOPICS: Tech Industry

Skype has fixed a critical security hole in the latest version of its Windows VoIP software, which could have allowed specially crafted websites to load and run malicious code on victims' PCs.

The URI handler skype4com, which the Skype software creates to handle web addresses, can fail when handling short strings, producing a memory violation that allows code to be written to memory.

"It is clear that Skype has once again closed critical holes furtively without informing users at all," said security website Heise Security.

Users of older versions of the software should make sure they are running the latest version of Skype — version 3.6.

Security research firm Secunia, which rated the flaw as critical, offers a Software Inspector that should determine if a PC is vulnerable.

Meanwhile, Skype has been criticised by users for allegedly not responding to bug reports.

Applications development professional and member Jamie Watson reported in his blog on Thursday comments from a Skype forum that Skype was producing 10,000 page faults per second on a user's computer.

Quoting from the forum, Watson said that for nearly two months Skype took the stance that the software was designed to produce that volume of faults. Finally, the VoIP company appeared to admit that the error was created by a thread, which Skype programmers put in for debugging and forgot to take out.

Skype could offer no response to Watson's comments at the time of writing.

The VoIP company has fallen out of favour with some of its other customers over the past few weeks. In November it withdrew a swathe of its users' telephone numbers, starting with the prized prefix 0207, after it fell out with one of its suppliers.

Topic: Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Why can Skype not just be forthcoming?

    Thanks for a good, timely article making some important points. It really escapes me why Skype is not able to simply be open, honest and forthcoming with their customers. They built an excellent reputation and grabbed a huge share of the market by making a good product a lot sooner than anyone else. They now seem to be determined to lose that reputation, and a good part of the market, because of a product that is suffering worse than usual growing pains, a market that is punishing them because someone else vastly overpaid for their company, and their own "fortress mentality", withholding critical information, attempting to dictate what hardware and other software they will allow or support on their users computers, and denying everything.

    By the way, one small correction to your reference to my blog. It is not only one user, or a few users, who have a problem with Skype producing excessive Page Faults. Every installation of the current version of Skype (3.6) produces somewhere between 700 and 10,000 Page Faults per Second, constantly.

    Thanks again for a good article.