Con un advisory, Secunia segnala tre vulnerabilità critiche presenti nel software VoIP Skype, sfruttabili da malintenzionati. Fortunatamente basta aggiornare il proprio software.
Descrizione problema:
Some vulnerabilities have been reported in Skype, which can be exploited by malicious people to cause a DoS or to compromise a user's system.
1) A boundary error exists when handling Skype-specific URI types e.g. "callto://" and "skype://". This can be exploited to cause a buffer overflow and allows arbitrary code execution when the user clicks on a specially-crafted Skype-specific URL.
The vulnerability is related to:
2) A boundary error exists in the handling of VCARD imports. This can be exploited to cause a buffer overflow and allows arbitrary code execution when the user imports a specially-crafted VCARD.
Vulnerability #1 and #2 has been reported in Skype for Windows Release 1.1.*.0 through 1.4.*.83.
3) A boundary error exists in the handling of certain unspecified Skype client network traffic. This can be exploited to cause a heap-based buffer overflow.
Successful exploitation crashes the Skype client.
The vulnerability has been reported in the following versions:
* Skype for Windows Release 1.4.*.83 and prior.
* Skype for Mac OS X Release 1.3.*.16 and prior.
* Skype for Linux Release 1.2.*.17 and prior.
* Skype for Pocket PC Release 1.1.*.6 and prior.
Soluzione:
Update to the fixed version.
http://www.skype.com/download/
Skype for Windows:
Update to Release 1.4.*.84 or later.
Skype for Mac OS X:
Update to Release 1.3.*.17 or later.
Skype for Linux:
Update to Release 1.2.*.18 or later.
Skype for Pocket PC:
No patch is yet available.