This article is taken from the New Zealand Computer World home page at http://computerworld.co.nz. -Steve.
Kiwi Security Expert Finds Flaw in Skype By Ulrika Hedquist and Juha Saarinen, Auckland | Tuesday, 6 June, 2006 A security flaw in Skype's peer-to-peer VoIP software has been closed, thanks to diligent work by a Kiwi security expert. Auckland-based Brett Moore, CTO of Australian, independent security company Security-Assessment.com, uncovered the flaw in Skype's software. Skype is now advising users to upgrade to its latest version to fix the bug. Moore says that the type of vulnerability found in Skype is fairly common with applications that interact with internet browsers. "We have previously discovered this type of vulnerability in two separate programs and there are public releases of similar issues in other programs," he says. The security flaw manifests itself through the way Skype handles Uniform Resource Identifiers (URIs) that point to names or addresses referring to resources. Security-Assessment.com discovered that with one type of URI handler installed by Skype it was possible to include additional command-line switches. One such switch will set up a file transfer session that will allow data written to the local hard disk to be sent to another Skype user. For an attacker to successfully exploit the flaw he must know the exact name and location of the file he wants to transfer on the victim's computer. The attacker must also authorise the victim, Security-Assessment.com says. This is easily done, with the attacker simply adding the victim to his contact list. There are further URI handler flaws in Skype, Security-Assessment.com says. Other command-line switches could be exploited to manipulate or obtain victims' Skype user credentials. Security-Assessment.com regularly performs application testing for its customers or as part of its own R&D, says Moore. "In this case, we were reviewing Skype as part of a larger VoIP research programme. Often we will notice what appears to be the potential for a vulnerability and investigate further." Moore says that a targeted attack is required to exploit this particular vulnerability. "The person to be exploited must be specifically selected and they must be convinced to browse to a web page or click on a hyperlink," he says. "While there are certain mitigating factors involved in a successful attack, the potential is there for an attacker to steal confidential files, including the user's Skype configuration." Theft of the Skype configuration could lead to further attacks such as ID theft, or listening in on users' conversations, he says. "The best solution is to install the vendor-supplied update," Moore says. "As always, users should be aware of malicious emails and email attachments." When discovering security flaws the company works directly with the vendor involved to help secure their software, Moore says. "Skype was very happy to work with us on this issue. They phoned me shortly after receiving our security report and kept me up to date with their progress," he says. "During the patch development they called me to discuss further details, and sent me a pre-release install to verify that they had fixed the problem." Moore was a little surprised to find the bug in Skype because it has already undergone independent security reviews, and also because of the large numbers of users. Regards Steve Email: [EMAIL PROTECTED] Skype: steve1963 MSN Messenger: [EMAIL PROTECTED] _______________________________________________ PC-Audio List Help, Guidelines, Archives and more... http://www.pc-audio.org To unsubscribe from this list, send a blank email to: [EMAIL PROTECTED] This list is a service of MosenExplosion.com. To see what other lists we offer, visit us on the web at http://www.MosenExplosion.com
