Skype Patches Medium-Risk Security Hole

Skype is advising users to upgrade to a more recent version of its voice-over-IP software to fix a security bug reported late last week by a security researcher in New Zealand.

The bug affects several versions of the Skype client for Windows and could allow an attacker to download a file from an affected PC without permission. Skype rated the vulnerability “medium risk.”

It stems from a flaw in the way the Skype client handles a type of URI, or uniform resource indicator, which provide a standard way to access resources on the Internet. Skype installs several URI handlers during a typical client installation.

To fall victim, a Skype user would have to be tricked into visiting a webpage set up by the attacker, said Brett Moore, a security researcher with Security-Assessment.com, who was credited with finding the hole.

The attacker needs to know the location of the file he wants to transfer, and must also have added the victim to his contact list.

The bug affects all releases of Skype for Windows up to and including version 2.0.x.104, as well as version 2.5.x.0 up to and including 2.5.x.78. Skype advised users to upgrade to Skype 2.5, release 2.5.x.79 or later, or Skype 2.0, release 2.0.x.105 or later.

It’s the first security bulletin issued by Skype in about seven months. Last year it issued three bulletins—two rated high risk and one low risk.

The latest bulletin is available online, as is an advisory from Security-Assessment.com, in PDF format.

-James Niccolai, IDG News Service

For related news coverage, read Skype Seeks Bulk to Avoid Blocks and Skype Offers U.S., Canadian Customers Free Calling.

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.