DBSA:2015-0004

From Digibase Knowledge Base
Jump to: navigation, search

Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.

Digibase Security Advisory - Skype Colon Exploit

Keywords: Skype, colon, exploit, :, http://:, crash, DoS

DBSA ID: 2015-0004

Regarding: Skype Colon Exploit

Writeup: Kradorex Xeron (talk) 02:34, 6 June 2015 (EDT)

Date: 2015 06 06

Last Modified: 20150606030406 by Kradorex Xeron

Who should take note: All Skype Users

Classification

Priority: MODERATE

Rationale: Can only be exploited by those who can transmit messages to you.

Severity: MODERATE

Rationale: Can be used to create a DoS condition whereas reinstallation of Skype may be the only alternative.

Spread of Issue: SINGLE-PLATFORM HIGH

Rationale: Only Skype for Windows users are impacted.

Description

Skype is a all-in-one communication software for video, voice and chat/IM that is developed and published by Microsoft. The software is available for Windows, MacOSX, Linux, Android and iOS (Apple). The vulnerability has been discovered in the Windows version whereas an attacker may transmit a malicious string (text) to a vulnerable user, resulting in a DoS condition by way of a crash of the Skype software. Restart of the software attempts to replay recent messages the vulnerable user has received, to which the malicious string is among them. Other platforms have not been identified as vulnerable.

Skype Windows 7.5.0.101 and prior of 7.x is impacted, however 6.x is not. Current version at the time of this writing is 7.5.0.102 and is secured against this exploit.

The string in question is "http://:".

Mitigation/Solution

Users are strongly advised to update their Skype client to the most recent version (link of website included in references for convenience) as Microsoft has already patched and released an update to eliminate this issue.

Those not vulnerable or no longer vulnerable should forward this advisory or the advice from this advisory to their contacts who may have not updated yet.

Users are strongly advised not to attempt to test the vulnerability on themselves or friends without authorization and without information security experience and training.

References