To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/voip/0,3800004463,39153664,00.htm

Skype issues bug fix update
Flaws could mean PC hijackings...

By Joris Evers

Published: Wednesday 26 October 2005

Skype updated its popular internet telephony software on Tuesday to fix a pair of security bugs. The most serious flaw could allow an attacker to commandeer a user's PC.

That flaw, which is similar to a bug Skype fixed last year, affects only Skype for Windows. An attacker could exploit the flaw by crafting a special link and enticing a user to click on it. The flaw could also be exploited when importing user information from a malformed electronic business card, or VCARD, Skype said in an advisory.

A second vulnerability affects Skype on all platforms but could only be exploited in a denial of service attack, Skype said in another advisory. Skype clients are available for Windows; Mac OS X v10.3 (Panther) or later; Linux; and Windows Mobile 2003 for Pocket PC, Skype said.

Security information aggregator Secunia rates the flaws "highly critical", one notch below its highest rating. The company uses the rating for remotely exploitable vulnerabilities that can lead to a system becoming compromised.

Skype was acquired by online auctioneer eBay in September. The client software has been downloaded more than 186 million times since its launch in August 2003 and 61 million people are registered to use the service, according to Skype's website. More than three million people use Skype simultaneously at any given time, the company said.

Skype on Tuesday released updated versions of its software for Windows, Mac OS X and Linux that do not contain the bugs. A fixed version of the application for Pocket PCs is forthcoming, according to Skype's security advisory.

Joris Evers writes for CNET News.com