|
 |
|
Skype URL Handling File Disclosure Vulnerability
|
|
|
|
|
Secunia Advisory:
|
SA20154
|
|
|
Release Date:
|
2006-05-19
|
|
Last Update:
|
2006-06-07
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
Exposure of sensitive information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Skype for Windows 1.x
Skype for Windows 2.x
|
| | CVE reference: | CVE-2006-2312 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
A vulnerability has been reported in Skype, which can be exploited by malicious people to bypass certain security restrictions and potentially disclose certain sensitive information.
The vulnerability is cause due to an error within the parsing of the parameters passed by the URI handler. This can be exploited to inject additional command line switches to the Skype client to initiate transfer of a file from one Skype user to another via a specially crafted Skype URL, without requiring the sender to explicitly consent the action.
Successful exploitation requires that the user follows a malicious Skype URL and that the recipient has previously authorised the sender.
The vulnerability has been reported in the following versions of Skype for Windows.
* Release 2.0.*.104 and prior
* Release 2.5.*.0 through 2.5.*.78
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector.
Solution:
Update to the fixed versions.
http://www.skype.com/download/skype/windows/
Skype for Windows 2.0:
Update to release 2.0.*.105 or later.
Skype for Windows 2.5:
Update to release 2.5.*.79 or later.
Provided and/or discovered by:
The vendor credits Brett Moore of Security-Assessment.com Ltd.
Changelog:
2006-05-23: Updated "Description" and "Original Advisory" sections.
2006-06-07: Added link to US-CERT vulnerability note.
Original Advisory:
Skype:
http://www.skype.com/security/skype-sb-2006-001.html
Security-Assessment.com:
http://www.security-assessment.com/Ad.../Skype_URI_Handling_Vulnerability.pdf
Other References:
US-CERT VU#466428:
http://www.kb.cert.org/vuls/id/466428
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
4 Related Secunia Security Advisories
|
|
|
1. Skype File URI Code Execution Vulnerability
|
|
2. Skype Cross-Zone Scripting Security Enhancement
|
|
3. Skype Multiple Buffer Overflow Vulnerabilities
|
|
4. Skype "callto:" URI Handler Buffer Overflow Vulnerability
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
