A security flaw in Skype\u2019s peer-to-peer voice-over-IP (VoIP) software has been closed, thanks to diligent work by a Kiwi security expert.Brett Moore, chief technology officer of Australian independent security company Security-Assessment.com, uncovered the flaw in Skype\u2019s software. Skype is now advising users to upgrade to its latest version to fix the bug.Moore said the type of vulnerability found in Skype is fairly common with applications that interact with Internet browsers.\u201cWe have previously discovered this type of vulnerability in two separate programs, and there are public releases of similar issues in other programs,\u201d he said.The security flaw manifests itself through the way Skype handles uniform resource identifiers (URIs) that point to names or addresses referring to resources.Security-Assessment.com discovered that with one type of URI handler installed by Skype, it was possible to include additional command-line switches. One such switch will set up a file transfer session that will allow data written to the local hard disk to be sent to another Skype user.For an attacker to successfully exploit the flaw, he must know the exact name and location of the file he wants to transfer on the victim\u2019s computer. The attacker must also authorize the victim, Security-Assessment.com said. This is easily done, with the attacker simply adding the victim to his contact list.There are further URI handler flaws in Skype, Security-Assessment.com said. Other command-line switches could be exploited to manipulate or obtain victims\u2019 Skype user credentials.Security-Assessment.com regularly performs application testing for its customers or as part of its own R&D, said Moore.\u201cIn this case, we were reviewing Skype as part of a larger VoIP research program. Often we will notice what appears to be the potential for a vulnerability and investigate further.\u201dMoore said that a targeted attack is required to exploit this particular vulnerability.\u201cThe person to be exploited must be specifically selected, and they must be convinced to browse to a webpage or click on a hyperlink,\u201d he said. \u201cWhile there are certain mitigating factors involved in a successful attack, the potential is there for an attacker to steal confidential files, including the user\u2019s Skype configuration.\u201dTheft of the Skype configuration could lead to further attacks such as ID theft, or listening in on users\u2019 conversations, he said.\u201cThe best solution is to install the vendor-supplied update,\u201d Moore said.\u201cAs always, users should be aware of malicious e-mails and e-mail attachments.\u201dWhen discovering security flaws, the company works directly with the vendor involved to help secure the software, Moore said.\u201cSkype was very happy to work with us on this issue. They phoned me shortly after receiving our security report and kept me up to date with their progress,\u201d he said.\u201cDuring the patch development, they called me to discuss further details, and sent me a pre-release install to verify that they had fixed the problem.\u201dMoore was a little surprised to find the bug in Skype because it has already undergone independent security reviews, and also because of the large numbers of users.-Ulrika Hedquist and Juha Saarinen, Computerworld New Zealand OnlineFor related news coverage, read Aussie Firm Finds Skype Flaw.Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.