In association with heise online

07 December 2007, 12:06

Critical hole in Skype VoIP client

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

It has just been announced that Skype has remedied a critical security hole in in version 3.6 of its eponymous VoIP software for Windows, released in mid November. When a specially crafted website is visited, attackers are able to inject malicious code onto a PC and execute it with the user's privileges. It would then be possible to infect the computer with contaminants.

The Zero Day Initiative says there was a flaw in the URI handler skype4com, which is created when Skype is installed. Short strings can then be used to provoke a memory violation in this handler, allowing code to be written into memory. It is not clear whether this flaw entered the software with the update for the URI hole that was made public just prior to this update. But it is clear that Skype has once again closed critical holes furtively without informing users at all. The last security advisory published by Skype is from October 03, 2006.

Users who still have an older version of Skype should install the latest version as soon as possible. Generally, the software informs users that a new major update has been released. The software reportedly also informs users about security releases, but Skype first has to declare them as such.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-735617
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit