Skype Multiple URI and VCARD Handling Buffer Overflow Vulnerabilities
Via FrSIRT. * Technical Description *
Advisory ID : FrSIRT/ADV-2005-2197
CVE ID : CVE-2005-3265 - CVE-2005-3267
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2005-10-25
Multiple vulnerabilities were identified in Skype, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service.
The first issue is due to buffer overflow errors when processing a specially crafted "callto://" or "skype://" URL, which could be exploited by attackers to execute arbitrary commands.
The second vulnerability is due to an error when importing non-standard VCARD files, which could be exploited by attackers to compromise a vulnerable system by convincing a user to import a malicious VCARD.
The third flaw is due to an unspecified error in a specific networking routine, which could be exploited by attackers to execute arbitrary commands or cause a denial of service.
Skype for Windows Release 1.4.*.83 and prior
Skype for Mac OS X Release 1.3.*.16 and prior
Skype for Linux Release 1.2.*.17 and prior
Skype for Pocket PC Release 1.1.*.6 and prior
Apply patches :
http://www.skype.com/download/
http://www.frsirt.com/english/advisories/2005/2197
http://www.skype.com/security/skype-sb-2005-02.html
http://www.skype.com/security/skype-sb-2005-03.html
http://www.pentest.co.uk/documents/ptl-2005-01.html
0 Comments:
Post a Comment
<< Home