F-Secure
Tools
Skype File URI Code Execution Vulnerability
| Report ID: | SA30547 |
| Source: | Secunia |
| Date of Discovery: | 05.06.2008 |
| Criticality: | Moderate |
| Affects: | Skype for Windows 1.x Skype for Windows 2.x Skype for Windows 3.x |
| Compromise From: | From remote |
| Compromise Type: | System access |
Summary
A vulnerability has been reported in Skype, which can be exploited by malicious people to compromise a user's system.
Detailed Description
A vulnerability has been reported in Skype, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an error in the handling of "file:" URIs, which can be exploited to bypass the security warning for blacklisted file extensions e.g. via a "file:" URI containing upper case characters in the file extension.
Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into clicking on a specially crafted "file:" URI.
The vulnerability is reported in version 3.8.*.115 and prior.
The vulnerability is caused due to an error in the handling of "file:" URIs, which can be exploited to bypass the security warning for blacklisted file extensions e.g. via a "file:" URI containing upper case characters in the file extension.
Successful exploitation allows execution of arbitrary code, but requires that a user is tricked into clicking on a specially crafted "file:" URI.
The vulnerability is reported in version 3.8.*.115 and prior.
Solution
Update to version 3.8.0.139.
http://www.skype.com/download/skype/windows/
http://www.skype.com/download/skype/windows/
Original Reference
-
CVE Reference
CVE-2008-1805