|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=711
|
| |
Vulnerable Systems:
* Skype version 3.6.0.248
Immune Systems:
* Skype version 3.8.0.139
The "file:" URI handler in Skype performs checks upon the URL to verify that the link does not contain certain file extensions related to executable file formats. If the link is found to contain a blacklisted file extension, a security warning dialog is shown to the user. The following file extensions are checked and considered dangerous by Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd, .com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.
Due to improper logic when performing these checks, it is possible to bypass the security warning and execute the program. First of all, checking is performed using a case sensitive comparison. The second flaw in this check is that the blacklist fails to mention all potential executable file formats. By using at least one upper case character, or using an executable file type that is not covered in the list, an attacker can bypass the security warning.
Analysis:
Exploitation of this issue allows an attacker to execute arbitrary code on the targeted user's machine. An attacker would need to persuade a targeted user to click a "file:" URI pointing to a malicious executable.
Vendor response:
Skype has addressed this vulnerability by releasing version 3.8.0.139. For more information consult their advisory at the following URL. http://www.skype.com/security/skype-sb-2008-003.html
CVE Information:
CVE-2008-1805
Disclosure timeline:
05/16/2008 - Initial vendor notification
05/17/2008 - Initial vendor response
06/04/2008 - Coordinated public disclosure
|
|
|
|
|
