Disclaimer: as technology changes, advisories may become out of date or may no longer be relevant, please refer to the "Date" section of the header to be sure the advisory is recent as pertains to your situation.
Digibase Security Advisory - Skype Colon Exploit
Keywords: Skype, colon, exploit, :, http://:, crash, DoS
DBSA ID: 2015-0004
Regarding: Skype Colon Exploit
Date: 2015 06 06
Last Modified: 20150606030406 by Kradorex Xeron
Who should take note: All Skype Users
Rationale: Can only be exploited by those who can transmit messages to you.
Rationale: Can be used to create a DoS condition whereas reinstallation of Skype may be the only alternative.
Spread of Issue: SINGLE-PLATFORM HIGH
Rationale: Only Skype for Windows users are impacted.
Skype is a all-in-one communication software for video, voice and chat/IM that is developed and published by Microsoft. The software is available for Windows, MacOSX, Linux, Android and iOS (Apple). The vulnerability has been discovered in the Windows version whereas an attacker may transmit a malicious string (text) to a vulnerable user, resulting in a DoS condition by way of a crash of the Skype software. Restart of the software attempts to replay recent messages the vulnerable user has received, to which the malicious string is among them. Other platforms have not been identified as vulnerable.
Skype Windows 220.127.116.11 and prior of 7.x is impacted, however 6.x is not. Current version at the time of this writing is 18.104.22.168 and is secured against this exploit.
The string in question is "
Users are strongly advised to update their Skype client to the most recent version (link of website included in references for convenience) as Microsoft has already patched and released an update to eliminate this issue.
Those not vulnerable or no longer vulnerable should forward this advisory or the advice from this advisory to their contacts who may have not updated yet.
Users are strongly advised not to attempt to test the vulnerability on themselves or friends without authorization and without information security experience and training.