Difference between revisions of "DBSA:2015-0004"
(Created page with "{{DBSAHEAD | TITLE=Skype Colon Exploit | KEYWORDS=Skype, colon, exploit, :, http://, crash, DoS }} '''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Skype Colon Exploit '''Write...") |
(No difference)
|
Revision as of 02:34, 6 June 2015
Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Contents
Digibase Security Advisory - Skype Colon Exploit
Keywords: Skype, colon, exploit, :, http://, crash, DoS
DBSA ID: 2015-0004
Regarding: Skype Colon Exploit
Writeup: Kradorex Xeron (talk) 02:34, 6 June 2015 (EDT)
Date: 2015 06 06
Last Modified: 20150606023417 by Kradorex Xeron
Who should take note: All Skype Users
Classification
Priority: MODERATE
Rationale: Can only be exploited by those who can transmit messages to you.
Severity: MODERATE
Rationale: Can be used to create a DoS condition whereas reinstallation of Skype may be the only alternative.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: Only Skype for Windows users are impacted.
Description
Skype is a all-in-one communication software for video, voice and chat/IM that is developed and published by Microsoft. The software is available for Windows, MacOSX, Linux, Android and iOS (Apple). The vulnerability has been discovered in the Windows version whereas an attacker may transmit a malicious string (text) to a vulnerable user, resulting in a crash condition. Restart of the software attempts to replay recent messages the vulnerable user has received, to which the malicious string is among them. Other platforms have not been identified as vulnerable.
The string in question is "http://:
".
Mitigation/Solution
Users impacted are strongly advised to update their Skype client to the most recent version (link of website included in references for convenience) as Microsoft has already patched and released an update to eliminate this issue.
Users are strongly advised not to attempt to test the vulnerability on themselves or friends without authorization and without information security experience and training.