Skype security warning
p2p news / p2pnet: If you’re a Skype user and you haven’t updated your Skype client, better do it.
The company, now owned by eBay, with all that implies, has published a warning about a heap overflow.
“Skype can be remotely forced to crash due to an error in bounds checking in a specific networking routine,” it says in a security bulletin.
“An attacker who sends a stream of specifically-crafted network traffic to a Skype client network can cause the client to overwrite part of the heap, including the heap integrity control data. Since the attacker cannot control the address where the data is written, the most likely effect will be that the Skype will abort execution due to an internal error, although other unpredictable behavior is possible.
“Such a crash will lead to a loss of availability of the Skype application until it is restarted by the user. Skype has been able to induce Skype clients to crash, but has not been able to cause the client to execute specific instructions.”
The Skype clients below are vulnerable to this attack:
Skype for Windows – All releases prior to and including 1.4.*.83
Skype for Mac OS X – All releases prior to and including 1.3.*.16
Skype for Linux – All releases prior to and including 1.2.*.17
Skype for Pocket PC – All releases prior to and including 1.1.*.6
Go here for patches and instructions.
