By Sylvia Carr, 30 May 2006 13:05
NEWS
Businesses using the popular voice over IP application Skype should make sure employees are logging on with the latest version, according to analyst house Gartner.
A recent vulnerability in Skype for Windows allows an attacker to steal a file from a victim's PC, provided the victim has visited a malicious website and the attacker knows the file's location.
The latest version of Skype fixes this security hole but the software does not require users to upgrade before placing VoIP calls or sending instant messages - thus, warns Gartner, businesses could be putting company data at risk by allowing employees to use a vulnerable version of the software.
Gartner analyst Lawrence Orans said in a research note: "Because the Skype client is a free download, it is widely used and most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."
The most secure option, according to Gartner, is to block all Skype traffic on the corporate network.
If businesses want to allow Skype use, though, Gartner suggests keeping a close eye on which versions employees are using.
Orans said: "If after weighing the risks, a business decides to allow Skype use, it should actively manage version control of the Skype client - and its distribution to authorised users - using configuration management tools."
Comments
There are 4 comments. Join the discussion
1. Charles Smith
Skype 2.5 Beta is even more sneaky at dodging firewalls and UTM devices. Whilst I use Skype on a personal basis, companies should watch out for compliance issues. It is impossible to monitor what employees are sending out/receiving in form of messages. In addition they could be using the file transfer facility and introducing the risk of unscanned virus's/worms/trojans.
Skype's new SMS texting facility is a real bonus though.
2. Richard A
Is this a Windows-only flaw or does it also affect versions of Skype running on Linux and Mac OS X?
The article is platform agnostic but I can't tell if this is because the vulnerability exists for all OSs or merely because it is lazily assumed that all businesses run Windows...
In other words, should I be concerned or can I afford to feel smugl? Did anybody think to ask Skype or Gartner while researching this article?
[Ed note: Good question. The flaw affects Skype for Windows only. The story has been updated accordingly.]
3. David Fletcher
The Linux version of Skype is now available in a yum repository.
If this facility is used then Skype should be automatically kept up to date along with the rest of the system when the yum update command is used.
4. Paul Sadlier
The security issue with Skype demonstrates a wider, more worrying trend. As it is a free download, many companies don’t know how many Skype clients they’ve got installed on their systems nor how much Skype network traffic they have. Companies need to have validated asset management processes and tools that can track, identify and remove free download software, remotely. Employees also need to made aware of what they can and can’t download or use –such as music files or peer-to-peer networks