5 June 2008, 10:53

Skype closes security hole

Skype has released a new version of its eponymous VoIP client that fixes two security flaws. The Windows version of Skype uses a filter to prevent locally stored executables from being launched via a file URI such as file://C:/foobar.exe. But according to iDefense the client only warns about the file types .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl,.crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp and .js. Skype therefore does not block other potentially dangerous file types, such as .pif, .vbs and .scr. In addition, because the client's checks are case-sensitive and expect lower case, even a single capital letter in the file extension causes the file to escape the filter.

Nevertheless for an attack to succeed a crafted file must be introduced onto the victim's computer. Skype has therefore only given this problem a CVSS rank of 5.6. The vendor says that all Windows versions up to and including 3.8.*.115 are affected. The flaw has been fixed in version 3.8.0.139.

Skype closes security hole

Internet Toolkit

CSI:Internet - Matryoshka in Flash

CSI:Internet - Attack of the killer videos

CSI:Internet - PDF Timebomb

Comment: The hype is over

GCC - "We make free software affordable"

Kernel Log: New X Server, 3D drivers for Radeon 5000 and new stable kernels

The H Update Check

Which Licence is Best for the Future?

An Organic Open Source Movement?

Kernel Log: 2.6.36 development and new stable kernels and drivers

What's new in Linux 2.6.35

CSI:Internet - Alarm at the pizza service

GNU HURD: Altered visions and lost promise

Price Insight Top 10 powered by Skinflint

The H

The H open source

The H Security

The H Internet Toolkit