TMCnews Featured Article

Officials at a popular video conferencing Web site are warning that a security policy bypass is allowing attackers to write arbitrary code into users’ systems and causing problems.

 

According to Skype (News - Alert), remote exploitation of its Windows versions prior to and including 3.8.*.115 are vulnerable to the bug.

 

URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats, according to Skype officials. If the link is found to contain a blacklisted executable file extension, a security warning dialog is shown to the user, officials say.

 

“This check is flawed in two ways,” according to Skype. “The check is performed using the case sensitive comparison. “The second flaw in this check is that the blacklist fails to mention all potential executable file formats. This allows an attacker to bypass this security policy and execute arbitrary code if a victim clicks an attacker supplied URL.”

 

Version 3.8.0.139 has been released to address the problem, according to the Skype.

The bug was found by VeriSign’s (News - Alert) iDefense, company officials say.

 

According to VeriSign, the following file extensions are checked and considered dangerous by Skype: .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.

 

“Due to improper logic when performing these checks, it is possible to bypass the security warning and execute the program,” VeriSign officials say.

 

With the bug, Skype officials say, an attacker would need to construct a malicious file URI and send it to the intended victim.

 

“Upon clicking the link, execution of arbitrary code on the victim’s machine will be possible,” they say.

 

This isn’t the first time Skype has endured bugs that open up its users to breaches. The company has had a handful of similar incidents in the past year.

 

Skype officials say the preferred method for installing security updates is to download the software directly from the company’s Web site or from its authorized partners.

 

“Skype may also be safely downloaded from other locations, but in this case it is particularly important that you verify the authenticity of the download,” Skype officials say.

 

The company recommends that once a user downloads any Skype software, that he or she verify its integrity by one of several methods.

 

Both the Skype installer program and the Skype program that is installed by the installer are digitally signed, company officials say.

 

For Skype software built for Microsoft Windows and Mac OSX operating environments, the digital certificate used by Skype to sign software packages is signed by “VeriSign Class 3 Code Signing 2004 CA (News - Alert).”

 

For Skype software built for Linux platforms, all packages are signed by PGP (News - Alert) key ID 0xD66B746E, the public component of which may be downloaded from http://www.skype.com/download/skype/linux/.

 

For general information about Skype security, see the Skype Security Resource Center at http://www.skype.com/security/.