Pentest Security Advisory : PTL-2005-01
Buffer overflow in Skype-specific URI and VCARD import handling

Advisory Details

Title: Buffer overflow in Skype-specific URI and VCARD import handling
Announcement date: 25 October 2005
Advisory Reference: ptl-2005-01
CVE Name: CVE-2005-3265
CVSS Base Score: 10.0 (AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)
Products: Skype VoIP Client for Windows
Vulnerability Type: Buffer Overflow
Vendor-Status: Patch Released
Remotely Exploitable: Yes
Locally Exploitable: N/A
Advisory URL:

Vulnerability Description

Skype can be made to execute arbitrary code through a buffer overflow when called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://.

In addition, Skype can be made to execute arbitrary code during importation of a VCARD that is in a specific non-standard format.

Vulnerable Versions

The following Skype clients are vulnerable to these attacks:

Skype for Windows: Releases 1.1.*.0 through 1.4.*.83

Vendor Status

18-10-2005 - Initial Pentest Limited Notification
18-10-2005 - Vulnerablities reproduced and acknowledged by Skype
25-10-2005 - Skype Security Advisory Released


An official fix to the issues covered by this security advisory has been released. To implement this fix, update to one of the following releases of Skype.

Skype for Windows: Release 1.4.*.84 or later

As a workaround prior to updating the Skype software, these bugs may be avoided by not selecting Skype-specific URIs and not importing VCARD records.


These vulnerabilities were discovered by Mark Rowe and Joe Moore from Pentest Limited.

arrow morePTL-2006-01

PTL-2004-06arrow more

Security Services

Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.

read more arrow more

Database Services

Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.

read more arrow more

© Copyright Pentest Limited 2001 - 2016 All Rights Reserved. Privacy statement