Skype Patches URL Handling Flaw

    May 22, 2006
    WebProNews Staff

A vulnerability in Skype’s VoIP software could have permitted file transfers from one Skype user to another without requiring consent from the recipient.

The problem reported on the Secunia website has been addressed by Skype with a new patch posted to its website. Windows users running older versions of Skype were subject to the flaw, as described by Secunia:

The vulnerability is cause due to an error within the parsing of the parameters passed by the URI handler. This can be exploited to initiate the transfer of a file from one Skype user to another via a specially crafted Skype URL without requiring the sender to explicitly consent the action.

Successful exploitation requires that the user follows a malicious Skype URL and that the recipient has previously authorized the sender.

Secunia rated the problem as “moderately critical” due to the potential for malicious persons bypassing the security restrictions in Skype.

Skype first posted an advisory of the problem before the weekend. Although it was quickly fixed, the flaw still posed a small speed bump to Skype’s recently announced plan to allow free calls to US and Canadian landline and cellphone numbers until the end of 2006.

The VoIP space has become more competitive, with Skype’s offer and the launch of AOL’s new AIM Phoneline service. AOL has been offering free inbound calls and voicemail to those who sign up for Phoneline and upgrade their AIM client to the latest beta version of AIM Triton.


Add to | DiggThis | Yahoo! My Web | Furl

Bookmark WebProNews:

David Utter is a staff writer for WebProNews covering technology and business.