Difference between revisions of "DBSA:2015-0004"

From Digibase Knowledge Base
Jump to: navigation, search
(Created page with "{{DBSAHEAD | TITLE=Skype Colon Exploit | KEYWORDS=Skype, colon, exploit, :, http://, crash, DoS }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Skype Colon Exploit '''Write...")
(No difference)

Revision as of 02:34, 6 June 2015

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Skype Colon Exploit

Keywords: Skype, colon, exploit, :, http://, crash, DoS

DBSA ID: 2015-0004

Regarding: Skype Colon Exploit

Writeup: Kradorex Xeron (talk) 02:34, 6 June 2015 (EDT)

Date: 2015 06 06

Last Modified: 20150606023417 by Kradorex Xeron

Who should take note: All Skype Users

Classification

Priority: MODERATE

Rationale: Can only be exploited by those who can transmit messages to you.

Severity: MODERATE

Rationale: Can be used to create a DoS condition whereas reinstallation of Skype may be the only alternative.

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: Only Skype for Windows users are impacted.

Description

Skype is a all-in-one communication software for video, voice and chat/IM that is developed and published by Microsoft. The software is available for Windows, MacOSX, Linux, Android and iOS (Apple). The vulnerability has been discovered in the Windows version whereas an attacker may transmit a malicious string (text) to a vulnerable user, resulting in a crash condition. Restart of the software attempts to replay recent messages the vulnerable user has received, to which the malicious string is among them. Other platforms have not been identified as vulnerable.

The string in question is "http://:".

Mitigation/Solution

Users impacted are strongly advised to update their Skype client to the most recent version (link of website included in references for convenience) as Microsoft has already patched and released an update to eliminate this issue.

Users are strongly advised not to attempt to test the vulnerability on themselves or friends without authorization and without information security experience and training.

References