Skype Plugs Critical Security Hole
According to a recent announcement, Skype has fixed a serious security flaw in its VoIP software, version 3.6 for Windows, made available in the middle of November this year.
When people visit a crafty website, attackers could inject malware into their computers and gain user's privileges to execute the code. This then enables them to infect those PCs with contaminants.
At the time of installation of software, Skype itself created the bug in 'skype4com' URI handler. During processing of short string values via this handler, there may occur a memory corruption capable of exploitation, allowing execution of arbitrary code on the user's system.
According to the Zero Day Initiative, it is not known if this bug entered software via the patch for the URI flaw that was publicly declared just before the update. Heise Security published this in news on December 7, 2007. However, one thing is evident that Skype has the ability to plug critical holes secretly without letting users know about them.
Security research company Secunia having rated the vulnerability as "critical" has offered the services of its software inspector to determine if any computer is vulnerable to attacks.
Meanwhile, users of Skype have criticized the VoIP service provider alleging that it did not respond to reports about the bug.
ZDNet.co.uk member and professional in applications development, Jamie Watson, on December 6 2007 posted on his blog Skype's comments from its forum stating that Skype had been generating 10,000 page errors in a second on the computer of a Skype user. ZDNet.co.uk reported this on December 7, 2007.
Citing the forum, Watson further said that for about two months, Skype established that its software was developed to create that many errors. In the end, the VoIP company accepted that the fault was produced with a thread that Skype programmers inserted for debugging and left it there by mistake.
Users still using Skype's older version are recommended to install the new version as early as possible. The general benefit from this software is that it informs users when a new update is released. It also furnishes information about other security releases.
Related article: Skype Fixes Much Publicized Cross-zone Scripting Problem
» SPAMfighter News - 20-12-2007