In association with heise online

05 June 2008, 09:53

Skype closes security hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Skype has released a new version of its eponymous VoIP client that fixes two security flaws. The Windows version of Skype uses a filter to prevent locally stored executables from being launched via a file URI such as file://C:/foobar.exe. But according to iDefense the client only warns about the file types .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl,.crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp and .js. Skype therefore does not block other potentially dangerous file types, such as .pif, .vbs and .scr. In addition, because the client's checks are case-sensitive and expect lower case, even a single capital letter in the file extension causes the file to escape the filter.

Nevertheless for an attack to succeed a crafted file must be introduced onto the victim's computer. Skype has therefore only given this problem a CVSS rank of 5.6. The vendor says that all Windows versions up to and including 3.8.*.115 are affected. The flaw has been fixed in version 3.8.0.139.

See also:

(mba)

Print Version | Send by email | Permalink: http://h-online.com/-736211
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit