SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#905177

Skype vulnerable to heap-based buffer overflow

Overview

A heap-based buffer overflow in Skype may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

I. Description

Skype software provides telephone service over IP networks. Skype contains a buffer overflow in a routine that parses incoming network traffic. The issue exists because Skype relies on user-controlled data to determine the size of buffers used to handle incoming packets. This may allow a remote attacker to manipulate memory allocation routines to create an under-sized buffer. When data is copied to this buffer, a heap-based buffer overflow may occur.

For more information, please refer to Skype Security Bulletin SKYPE-SB/2005-003.

II. Impact

A remote attacker may be able to overwrite heap memory causing the Skype process to crash or cause unpredictable behavior. In addition, public reports claim this vulnerability can be used to execute arbitrary code.

III. Solution

Upgrade Skype

Please see Skype Security Bulletin SKYPE-SB/2005-003 for a list of fixed Skype versions.

Systems Affected

VendorStatusDate NotifiedDate Updated
Skype TechnologiesVulnerable26-Oct-2005

References


http://www.skype.com/security/skype-sb-2005-03.html
http://secunia.com/advisories/17305/
http://www.securityfocus.com/archive/1/414519/30/0/threaded

Credit

This vulnerability was reported by SKY-CERT. Skype credits EADS Corporate Research Center security lab with providing information regarding this vulnerability.

This document was written by Jeff Gennari.

Other Information

Date Public:2005-10-25
Date First Published:2005-10-26
Date Last Updated:2005-10-31
CERT Advisory: 
CVE-ID(s):CAN-2005-3267
NVD-ID(s):CAN-2005-3267
US-CERT Technical Alerts: 
Metric:20.88
Document Revision:18

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader