A buffer overflow in the way Skype handles imported VCARDs may allow a remote attacker to execute code on a vulnerable system.
Skype software provides telephone service over IP networks. Skype fails to properly validate imported VCARDs, allowing a buffer overflow to occur. The buffer overflow may stem from an input validation error in the Delphi routine SysUtils.WideFmtStr(...).
A remote attacker may be able to execute arbitrary code if they can persuade a user to import a specially crafted VCARD with a Skype-specific URI with a vulnerable Skype installation.
Please see Skype Security Bulletin SKYPE-SB/2005-002 for a list of fixed Skype versions.
Do not import VCARDs from untrusted sources
This vulnerability was reported by SKY-CERT. SKY-CERT credits Mark Rowe of Pentest Limited with providing information regarding this issue.
This document was written by Jeff Gennari.
|Date First Published:||2005-10-26|
|Date Last Updated:||2005-12-19 14:34 UTC|