Skype patches security flaw

Peer-to-peer phone company Skype has updated its internet telephony software, patching a critical flaw in its client for Microsoft Windows-based systems. The patch is available from Skype's website.

Security information provider Secunia said on Monday the vulnerability could allow attackers to take control of a Skype user's PC after the victim clicks on a specially created URL. By including a long string of characters in the link, the attacker could trigger a memory error known as a buffer overflow that could then be exploited to run a program.

"Successful exploitation may allow execution of arbitrary code," Secunia said. It has ranked the flaw as "highly critical" - its second-highest rating.

Kelly Larabee, a spokeswoman for Skype, said the company acknowledged the security hole in its release notes for the update. "We became aware of a security threat late last week and moved to correct it. We encourage users to download the latest version."

Skype's software enables people to use the internet to place voice calls. Calls to other internet phone users are free, while calls to traditional phones and mobile phones are charged a per-minute fee. More than 34 million people have downloaded the software, and as many as one million people have used the service simultaneously, according to a posting on Skype's website.

Skype's voice over Internet Protocol (VoIP) client runs on Windows XP, Mac OS X, Linux and Microsoft PocketPC.

Secunia also recommended that Skype users update to the latest version of the VoIP software.

Robert Lemos writes for CNET News.com.