A security researcher has found a big security concern in some versions of Microsoft's Skype. In a public disclosure, Vulnerability Lab's Benjamin Kunz Mejri detailed a stack buffer overflow flaw that leaves versions 7.2, 7.35, and 7.36 vulnerable. For context, version 7.36 was released just last month, while .35 came on April 12th.
“The security vulnerability allows [us] to crash the software application with an unexpected exception error, to overwrite the active process registers to execute own malcious codes,” said Mejri. “We place a picture in our clipboard, this needs to be copied from a remote desktop system. This can be pasted into the local skype message box, by the paste function. Then the picture is taken from the clipboard (which is the rdp remote clipboard content) and successfully copies it into the message box.”
It seems to center on Skype's use of the MSFTEDIT.DLL when there is a copy request on local systems. The victim doesn't need to provide any interaction on their part for it to work. Attackers only need a Skype account with low privileges.
Vulnerability Lab had proof of concept code in its disclosure, but Microsoft was informed previously. It was told of the bug on May 16th, and a June 8th update fixes the problem.
That may not be the speediest response, but at least users can use the application safely now. At least, if you're on the latest version. Now is a great time to make sure Skype is up to date, and review the frequency with which you update applications. It's never good to get into the habit of clicking ‘Update Later'.
In response to Skype exploit, a Microsoft spokesperson told The Register, “Users on the latest Skype client are automatically protected, and we recommend upgrading to this version for the best protection.”
You can read more about the Skype exploit on the Vulnerability Magazine site.