Skype Sick With Bad Bug, Must Be Patched
Skype pushed out a patch for a vulnerability that can let attackers gain access to a target computer and its data.
VoIP provider Skype rolled out an update Friday to quash a bug that can let attackers send a file to a recipient without his or her consent, and potentially obtain access to the computer and its data.
The vulnerability, which Danish bug tracking firm Secunia rated as "moderately critical," is in the VoIP software's parsing of URLs. A malformed link -- sent in a Skype message, for instance -- can begin the transfer of a file from attacker to recipient, who does not need to have "explicitly consented to the action," Skype said in an advisory.
White PapersMore >>
- Strategy: Developing a Strategy for Enterprise Application Security
- Strategy: How Cybercriminals Choose Their Targets and Tactics
The transfer, however, would be seen by the recipient. "If a file transfer is started, it will be visible to the user and may be cancelled by the sender by selecting 'Cancel' in the normal way," the alert continued.
All versions of Skype for Windows prior to and including 2.0.*.104, as well as the beta 2.5.*.0 to and including 2.5.*.78, are vulnerable. Skype told users that they should update to patched versions -- 184.108.40.206 and the beta 220.127.116.11 -- from the Web site as soon as possible.
Depending on how users have set up Skype, the program may also automatically check for the update, and alert the user.
Earlier this week, Skype launched a special promotion that lets U.S. and Canadian users make calls to landline and mobile numbers for free through the end of 2006.