Skype fixes critical security flaw

Skype has fixed a critical security hole in the latest version of its Windows VoIP software, which could have allowed specially crafted websites to load and run malicious code on victims' PCs.

The URI handler skype4com, which the Skype software creates to handle web addresses, can fail when handling short strings, producing a memory violation that allows code to be written to memory.

"It is clear that Skype has once again closed critical holes furtively without informing users at all," said security website Heise Security.

Users of older versions of the software should make sure they are running the latest version of Skype — version 3.6.

Security research firm Secunia, which rated the flaw as critical, offers a Software Inspector that should determine if a PC is vulnerable.

Meanwhile, Skype has been criticised by users for allegedly not responding to bug reports.

Applications development professional and ZDNet.co.uk member Jamie Watson reported in his blog on Thursday comments from a Skype forum that Skype was producing 10,000 page faults per second on a user's computer.

Quoting from the forum, Watson said that for nearly two months Skype took the stance that the software was designed to produce that volume of faults. Finally, the VoIP company appeared to admit that the error was created by a thread, which Skype programmers put in for debugging and forgot to take out.

Skype could offer no response to Watson's comments at the time of writing.

The VoIP company has fallen out of favour with some of its other customers over the past few weeks. In November it withdrew a swathe of its users' telephone numbers, starting with the prized prefix 0207, after it fell out with one of its suppliers.