Skype closes security hole
Skype has released a new version of its eponymous VoIP client that fixes two security flaws. The Windows version of Skype uses a filter to prevent locally stored executables from being launched via a file URI such as
file://C:/foobar.exe. But according to iDefense the client only warns about the file types
.ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl,.crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp and
.js. Skype therefore does not block other potentially dangerous file types, such as
.pif, .vbs and
.scr. In addition, because the client's checks are case-sensitive and expect lower case, even a single capital letter in the file extension causes the file to escape the filter.
Nevertheless for an attack to succeed a crafted file must be introduced onto the victim's computer. Skype has therefore only given this problem a CVSS rank of 5.6. The vendor says that all Windows versions up to and including 3.8.*.115 are affected. The flaw has been fixed in version 22.214.171.124.
- Skype File URI Security Bypass Code Execution Vulnerability, Skype security advisory
- Skype File URI Security Bypass Code Execution Vulnerability, iDefense security advisory