Pentest Security Advisory : PTL-2005-01
Buffer overflow in Skype-specific URI and VCARD import handling
|Title:||Buffer overflow in Skype-specific URI and VCARD import handling|
|Announcement date:||25 October 2005|
|CVSS Base Score:||10.0 (AV:R/AC:L/Au:NR/C:C/I:C/A:C/B:N)|
|Products:||Skype VoIP Client for Windows|
|Vulnerability Type:||Buffer Overflow|
Skype can be made to execute arbitrary code through a buffer overflow when called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://.
In addition, Skype can be made to execute arbitrary code during importation of a VCARD that is in a specific non-standard format.
The following Skype clients are vulnerable to these attacks:
Skype for Windows: Releases 1.1.*.0 through 1.4.*.83
|18-10-2005 -||Initial Pentest Limited Notification|
|18-10-2005 -||Vulnerablities reproduced and acknowledged by Skype|
|25-10-2005 -||Skype Security Advisory Released|
An official fix to the issues covered by this security advisory has been released. To implement this fix, update to one of the following releases of Skype.
Skype for Windows: Release 1.4.*.84 or later
As a workaround prior to updating the Skype software, these bugs may be avoided by not selecting Skype-specific URIs and not importing VCARD records.
Pentest offers a thorough, yet adaptive range of security services to help customers address vulnerabilities in their network or applications. Services include: Secure Coding Workshops, SAST tools, Manual Penetration Testing and Security Audits.
Pentest offers a complete Database Security Assessment Service (DSAS) to businesses that rely on the security of the information held within their databases or have concerns relating to the security compliance of these systems.