HomeWinBuzzer NewsCritical Zero-Day Skype Exploit Lets Attackers Crash Application and Remotely Execute Code

Critical Zero-Day Skype Exploit Lets Attackers Crash Application and Remotely Execute Code

The Skype exploit was found by security researcher Benjamin Kunz Mejri, and involves the attachment of an image file via a remote desktop system. It requires no input from the user and has been labeled 'severe'.

-

A security researcher has found a big security concern in some versions of 's . In a public disclosure, Vulnerability Lab's Benjamin Kunz Mejri detailed a stack buffer overflow flaw that leaves versions 7.2, 7.35, and 7.36 vulnerable. For context, version 7.36 was released just last month, while .35 came on April 12th.

“The security vulnerability allows [us] to crash the software application with an unexpected exception error, to overwrite the active process registers to execute own malcious codes,” said Mejri. “We place a picture in our clipboard, this needs to be copied from a remote desktop system. This can be pasted into the local skype message box, by the paste function.  Then the picture is taken from the clipboard (which is the rdp remote clipboard content) and successfully copies it into the message box.”

It seems to center on Skype's use of the MSFTEDIT.DLL when there is a copy request on local systems. The victim doesn't need to provide any interaction on their part for it to work. Attackers only need a Skype account with low privileges.

Already Patched

Vulnerability Lab had proof of concept code in its disclosure, but Microsoft was informed previously. It was told of the bug on May 16th, and a June 8th update fixes the problem.

That may not be the speediest response, but at least users can use the application safely now. At least, if you're on the latest version. Now is a great time to make sure Skype is up to date, and review the frequency with which you update applications. It's never good to get into the habit of clicking ‘Update Later'.

In response to Skype exploit, a Microsoft spokesperson told The Register, “Users on the latest Skype client are automatically protected, and we recommend upgrading to this version for the best protection.”

You can read more about the Skype exploit on the Vulnerability Magazine site.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News