search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Skype for Mac contains a format string error in the handling of URI arguments

Vulnerability Note VU#202604

Original Release Date: 2006-10-06 | Last Revised: 2006-10-06


Skype for Mac contains a format string vulnerability in the handling of URIs, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


Skype software provides telephone service over IP networks. There is a format string vulnerability in the NSRunAlertPanel function in the routines that handle Skype-specific URIs, such as skype://.


By sending a specially crafted URI to Skype, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user. Such a URI can be sent to Skype by convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment). The attacker could also cause Skype to crash.


Apply an update

This vulnerability is addressed in Skype for Mac release 1.5.*.80 or later.

Vendor Information


Skype Technologies Affected

Updated:  October 06, 2006



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please see SKYPE-SB/2006-002.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported by Tom Ferris of Security-Protocols.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2006-5084
Severity Metric: 8.29
Date Public: 2006-10-03
Date First Published: 2006-10-06
Date Last Updated: 2006-10-06 20:25 UTC
Document Revision: 2

Sponsored by CISA.