Skype flaws open computers to attack

Company updates its Internet telephony application to fix bugs that could allow an attacker to gain control of a user's PC.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Skype Technologies updated its popular Skype Internet telephony software on Tuesday to fix a pair of security bugs. The most serious flaw could allow an attacker to commandeer a user's PC.

That flaw, which is similar to a bug Skype fixed last year, affects only Skype for Windows. An attacker could exploit the flaw by crafting a special link and enticing a user to click on it. The flaw could also be exploited when importing user information from a malformed electronic business card, or VCARD, Skype said in an advisory.

A second vulnerability affects Skype on all platforms, but could only be exploited in a denial-of-service attack, Skype said in another advisory. Skype clients are available for Windows; Mac OS X v10.3 (Panther) or later; Linux; and Windows Mobile 2003 for Pocket PC, Skype said.

Security information aggregator Secunia rates the flaws "highly critical," one notch below its highest rating. The company uses the rating for remotely exploitable vulnerabilities that can lead to a system becoming compromised.

Skype was acquired by online auctioneer eBay in September. The client software has been downloaded more than 186 million times since its launch in August 2003 and 61 million people are registered to use the service, according to Skype's Web site. More than 3 million people use Skype simultaneously at any given time, the company said.

Skype on Tuesday released updated versions of its software for Windows, Mac OS X and Linux that do not contain the bugs. A fixed version of the application for Pocket PCs is forthcoming, according to Skype's security advisory.