A security flaw in Skype Ltd.'s peer-to-peer VoIP software has been closed, thanks to diligent work by a Kiwi security expert.
Auckland-based Brett Moore, chief technology officer of Australian independent security company Security-Assessment.com Ltd., uncovered the flaw in Skype's software. Skype is now advising users to upgrade to its latest version to fix the bug.
Moore said that the type of vulnerability found in Skype is fairly common with applications that interact with internet browsers.
"We have previously discovered this type of vulnerability in two separate programs and there are public releases of similar issues in other programs," he said.
The security flaw manifests itself through the way Skype handles Uniform Resource Identifiers (URIs) that point to names or addresses referring to resources.
Security-Assessment.com discovered that with one type of URI handler installed by Skype it was possible to include additional command-line switches. One such switch will set up a file transfer session that will allow data written to the local hard disk to be sent to another Skype user.
For an attacker to successfully exploit the flaw he must know the exact name and location of the file he wants to transfer on the victim's computer. The attacker must also authorize the victim, Security-Assessment.com said. This is easily done, with the attacker simply adding the victim to his contact list.
There are further URI handler flaws in Skype, Security-Assessment.com said. Other command-line switches could be exploited to manipulate or obtain victims' Skype user credentials.
Security-Assessment.com regularly performs application testing for its customers or as part of its own R&D, said Moore.
"In this case, we were reviewing Skype as part of a larger VoIP research program. Often we will notice what appears to be the potential for a vulnerability and investigate further."
Moore said that a targeted attack is required to exploit this particular vulnerability.
"The person to be exploited must be specifically selected and they must be convinced to browse to a web page or click on a hyperlink," he said. "While there are certain mitigating factors involved in a successful attack, the potential is there for an attacker to steal confidential files, including the user's Skype configuration."
Theft of the Skype configuration could lead to further attacks such as ID theft, or listening in on users' conversations, he said.
"The best solution is to install the vendor-supplied update," Moore said.
"As always, users should be aware of malicious emails and email attachments."
When discovering security flaws the company works directly with the vendor involved to help secure their software, Moore said.
"Skype was very happy to work with us on this issue. They phoned me shortly after receiving our security report and kept me up to date with their progress," he said.
"During the patch development they called me to discuss further details, and sent me a pre-release install to verify that they had fixed the problem."
Moore was a little surprised to find the bug in Skype because it has already undergone independent security reviews, and also because of the large numbers of users.