Skype URL Handling File Disclosure Vulnerability
"Moderatly Critical"
Via Secunia.
Description:
A vulnerability has been reported in Skype, which can be exploited by malicious people to bypass certain security restrictions and potentially disclose certain sensitive information.
The vulnerability is cause due to an error within the parsing of the parameters passed by the URI handler. This can be exploited to initiate the transfer of a file from one Skype user to another via a specially crafted Skype URL without requiring the sender to explicitly consent the action.
Successful exploitation requires that the user follows a malicious Skype URL and that the recipient has previously authorised the sender.
The vulnerability has been reported in the following versions of Skype for Windows.
- Release 2.0.*.104 and prior
- Release 2.5.*.0 through 2.5.*.78
Solution:
Update to the fixed versions.
http://www.skype.com/download/skype/windows/
Skype for Windows 2.0:
Update to release 2.0.*.105 or later.
Skype for Windows 2.5:
Update to release 2.5.*.79 or later.
Provided and/or discovered by:
The vendor credits Brett Moore of Security-Assessment.com Ltd.
Original Advisory:
http://www.skype.com/security/skype-sb-2006-001.html
More here.
posted by Fergie @ 5/19/2006 06:49:00 AM
0 Comments:
Post a Comment
<< Home