Skype patches critical flaws

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

Warns users to upgrade to latest version, even Mac OS and Linux clients

By Robert McMillan | San Francisco | Thursday, 27 October, 2005

Skype users are being urged to upgrade to the latest version of the popular internet telephony client, thanks to a number of critical flaws in the software that were disclosed by Skype's maker, Skype Technologies.

If exploited, two of the flaws could allow attackers to take over a Skype user's system, the company says in its advisory. These flaws affect a number of Windows versions of the software ranging between version 1.1 to 1.4.

The first of these flaws could be exploited by tricking a Skype user to click on a specially-crafted URL, while the second would require a Skype user to import a malicious vCard. VCard is an electronic business card format used by some email programs.

Security research firm Secunia has rated the flaws "highly critical," and listed a third type of error, which affects Mac OS and Linux clients as well, that could be exploited to crash the Skype client. The Secunia advisory also tells users to update to the latest version of the software.

At this time there is no known malicious software that takes advantage of these bugs, according to Secunia.

Though it has not been the target of a widespread attack to date, Skype has a number of characteristics that market it increasingly attractive to attackers, says Tom Newton, a product development manager with firewall vendor SmoothWall.

"It's difficult to control from a network administrator point of view, and we're left with an extremely homogenous environment," he says. "Once everybody is running the same code, it becomes much more profitable for miscreants and wrongdoers to affect our computers."

Skype Technologies says there are now 61 million registered Skype users, more than enough to attract the attention of hackers, according to Newton.

EBay's planned acquisition of Skype Technologies and the possibility that the client will play a role in online commerce only makes a Skype attack more appealing, he adds. "The attack is yet to come. I don't doubt that something will happen," Newton says. "The scale of it is up for debate."

In fact, hackers are have already begun paying attention to Skype, even if they have yet to launch a widespread attack. Earlier this month attackers began sending out malicious Trojan horse code in the form of email attachments that claimed to contain version 1.4 of the Skype client.