We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,818 News Articles

Australian company uncovers Skype flaw

Watch your configuration file

Australian security firm Security-Assessment.com has discovered a flaw with the install of the Windows-based Skype client.

Skype was notified of the potential flaw earlier this month and promptly issued a patch. General vulnerability dissemination was made on 22 May by Security-Assessment.com.

Skype has confirmed the vulnerability could allow users to 'retrieve' files from other Skype users through unauthenticated connections due to a flaw present in the URI (Uniform Resource Identifiers).

The flaw is enabled through the URI handler installed during initiation of the Windows Skype client. It allows additional command-line switches to be passed on to the Skype client, potentially allowing a file transfer.

For such a transfer to be initiated the attacker must authorise the victim, done easily through adding the victim to the attacker's contact list, which does not require authorisation from the victim or Skype user.

Drazen Drazic, managing director of Security-Assessment.com, said the bug affects all releases of Skype to Windows, up to and including the latest versions.

"We have had concerns about VoIP [voice over IP] for a while, but there are not too many players in the space, security and otherwise, addressing VoIP security concerns," Drazic said.

"There have been a lot of products rolled out and while there are only a few large Australian implementations, risk review has been an area of research for us.

"We did not release the advisory until Skype got back to us and announced a patch, which was Monday morning last week [22 May]."

Exploitation of the flaw will only occur when the potential victim opens the URI exploit in Internet Explorer, which also requires the user to visit or open a compromised HTML page. The attacker must also know the location of the specific file on the intended machine; however, a common target would be the Skype configuration file.


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'