Skype patches security policy bypassing vulnerability


June 6th, 2008

June 6th, 2008In a security bulletin issued two days ago, Skype’s latest version fixes a File URI Security Bypass Code ExecutionSkype Logo Vulnerability originally reported by Ismael Briones :

Remote exploitation of a security policy bypass in
Skype could allow an attacker to execute arbitrary code in the context
of the user.

The “file:” URI handler in Skype performs checks upon the URL to
verify that the link does not contain certain file extensions related
to executable file formats. If the link is found to contain a
blacklisted file extension, a security warning dialog is shown to the
user. The following file extensions are checked and considered
dangerous by Skype; .ade, .adp, .asd, .bas, .bat, .cab, .chm, .cmd,
.com, .cpl, .crt, .dll, .eml, .exe, .hlp, .hta, .inf, .ins, .isp, .js.

Due to improper logic when performing these checks, it is possible
to bypass the security warning and execute the program. First of all,
checking is performed using a case sensitive comparison. The second
flaw in this check is that the blacklist fails to mention all potential
executable file formats. By using at least one upper case character, or
using an executable file type that is not covered in the list, an
attacker can bypass the security warning.

Read the rest of this entry »

[Source: Zdnet]