Skype released a security bulletin describing a recently found vulnerability :Skype File URI Security Bypass Code Execution Vulnerability. Affected are all Skype Windows clients prior to and including 3.8.*.115, with the vulnerability already fixed in versions 3.8.0.139.
1. Problem description and brief discussion Remote exploitation of a security policy bypass in Windows Skype versions could allow an attacker to execute arbitrary code.
URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted executable file extension a security warning dialog is shown to the user. This check is flawed in two ways. The check is performed using the case sensitive comparison.
The second flaw in this check is that the blacklist fails to mention all potential executable file formats. This allows an attacker to bypass this security policy and execute arbitrary code if a victim clicks an attacker supplied URL.
2. Impact and affected software Exploitation of this issue allows an attacker to execute arbitrary code on the targeted victim's machine. An attacker would need to construct a malicious file: URI and send it to the intended victim. Upon clicking the link execution of arbitrary code on the victim's machine will be possible.
Affected software The following Skype clients are vulnerable to this attack:
Skype for Windows: All releases prior to and including 3.8.*.115
3. Solution or work-around Skype has fixed the vulnerability in version 3.8.0.139
4. Special instructions and notes None.
5. Software download location The preferred method for installing security updates is to download the software directly from Skype's website, from the website of Skype's authorized partners, or from a reliable mirror site. Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download.
We recommend that once you download any Skype software that you verify its integrity by the methods listed in Section 6 of this Bulletin.
- Bulletin authenticity verification: Skype security bulletins are published on Skype's web site and via mailing lists. The authenticity and integrity of a Skype security bulletins may be determined by inspecting the crypto- graphic signature that is attached to each bulletin. All Skype security bulletins are published with a valid digital signature produced by PGP.
- Software authenticity verification: Both the Skype installer program and the Skype program that is installed by the installer are digitally signed.
For Skype software built for Microsoft Windows and Mac OSX operating environments, the digital certificate used by Skype to sign software packages is signed by "VeriSign Class 3 Code Signing 2004 CA".
For Skype software built for Linux platforms, all packages are signed by PGP key ID 0xD66B746E, the public component of which may be downloaded from http://www.skype.com/download/skype/linux/.
- For general information about Skype security, please visit the Skype Security Resource Center at http://www.skype.com/security/.
