SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#930345

Skype URI handling routine contains a buffer overflow

Overview

A buffer overflow in Skype may allow a remote attacker to execute code on a vulnerable system.

I. Description

Skype software provides telephone service over IP networks. There is a buffer overflow in the routines that handle Skype-specific URIs (callto:// or skype://). The buffer overflow may stem from an input validation error in the Delphi routine SysUtils.WideFmtStr(...).

For more information, please see Skype Security Bulletin SKYPE-SB/2005-002 and Delphi Bug Report 4744.

II. Impact

A remote attacker may be able to execute arbitrary code if they can persuade a user to access a Skype-specific URI with a vulnerable Skype installation.

III. Solution

Upgrade Skype

Please see Skype Security Bulletin SKYPE-SB/2005-002 for a list of fixed Skype versions.

Do not access Skype URIs from untrusted sources

Exploitation occurs by accessing a specially crafted Skype URIs. By only accessing a Skype URIs from trusted or known sources, the chances of exploitation are reduced.

Systems Affected

VendorStatusDate Updated
Skype TechnologiesVulnerable26-Oct-2005

References


http://secunia.com/advisories/17305/
http://www.skype.com/security/skype-sb-2005-02.html
http://qc.borland.com/wc/qcmain.aspx?d=4744

Credit

This vulnerability was reported by SKY-CERT. SKY-CERT credits Mark Rowe of Pentest Limited with providing information regarding this issue.

This document was written by Jeff Gennari.

Other Information

Date Public10/25/2005
Date First Published10/26/2005 10:20:30 AM
Date Last Updated10/26/2005
CERT Advisory 
CVE NameCAN-2005-3265
US-CERT Technical Alerts 
Metric10.13
Document Revision14

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2005 by US-CERT, a government organization
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader