Two new vulnerabilities to the Skype telephony software have been found, each of which could be used to compromise security on affected systems:
SKYPE-SB/2005-02
Affecting Skype for windows, a malicious attacker could utilize a buffer overflow to execute arbitrary code when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://. Additionally, an attacker could potentially utilize this vulnerabilty to execute arbitrary code during the importation of a VCARD that is in a specific non-standard format.
SKYPE-SB/2005-02
Affecting every Skype platform, an error in bounds checking in a specific networking routine could enable a remote malicious attacker to force the Skype client to crash.
To take advantage of this vulnerability, an attacker would need to send a stream of specifically-crafted network traffic to a Skype client network, which could then cause the client to crash. Other unpredictable behavior is possible, though this vulnerability has not been able to cause the client to execute specific instructions. Skype has released an update that addresses both of these vulerabilities. For the updated version, visit http://www.skype.net/download/
SKYPE-SB/2005-02
Affecting Skype for windows, a malicious attacker could utilize a buffer overflow to execute arbitrary code when Skype is called upon to handle malformed URLs that are in Skype-specific URI types callto:// and skype://. Additionally, an attacker could potentially utilize this vulnerabilty to execute arbitrary code during the importation of a VCARD that is in a specific non-standard format.
SKYPE-SB/2005-02
Affecting every Skype platform, an error in bounds checking in a specific networking routine could enable a remote malicious attacker to force the Skype client to crash.
To take advantage of this vulnerability, an attacker would need to send a stream of specifically-crafted network traffic to a Skype client network, which could then cause the client to crash. Other unpredictable behavior is possible, though this vulnerability has not been able to cause the client to execute specific instructions. Skype has released an update that addresses both of these vulerabilities. For the updated version, visit http://www.skype.net/download/
