Two weeks ago, Skype patched a critical vulnerability that could let an attacker send a file to another user without his or her consent, and potentially obtain access to the recipient's computer and data.
"This vulnerability follows three in 2005 (two high-risk, one low-risk) and highlights the risk of not establishing and implementing an enterprise policy for Skype," wrote Gartner research director Lawrence Orans in an online research note. "Because the Skype client is a free downloadmost businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."
The problem, said Orans, is that Skype doesn't demand that vulnerable clients be updated, and sans administrative management controls to force this, the VoIP client leaves corporate networks open to attack.
"In contrast, Microsoft immediately restricted access to its MSN Messenger instant messaging (IM) service in 2005 when it discovered a vulnerability in its IM client. Only users with an updated and nonvulnerable [sic] client were allowed to access the service, which meant Microsoft essentially performed the vulnerability management process on behalf of businesses. Skype provides no such protection," Orans added.
Although Gartner has previously recommended that enterprises stay away from Skype, Orans repeated the advice in his note.
"The most secure option is to block Skype traffic completely," he said. "However, if after weighing the risks, a business decides to allow Skype use, it should actively manage version control of Skype client — and its distribution to authorized users — using configuration management tools."