Want CNET to notify you of price drops and the latest stories?

Skype plugs hole in VoIP software

The peer-to-peer Internet phone company patches a serious security flaw in its product for Windows PCs.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
Peer-to-peer phone company Skype has updated its Internet telephony software, patching a critical flaw in its client for Microsoft Windows-based systems.

The vulnerability could allow attackers to take control of a Skype user's PC after the victim clicks on a specially created URL, security information provider Secunia said Monday. By including a long string of characters in the link, the attacker could trigger a memory error known as a buffer overflow that could then be exploited to run a program.

"Successful exploitation may allow execution of arbitrary code," Secunia said. It has ranked the flaw as "highly critical"--its second-highest rating.

Skype acknowledged the security hole in its release notes for the update. "We became aware of a security threat late last week and moved to correct it," said Kelly Larabee, a spokeswoman for Skype. "We encourage users to download the latest version."

Skype's software enables people to use the Internet to place voice calls. Calls to other Internet phone users are free, while calls to traditional phones and mobile phones are charged a per-minute fee. More than 34 million people have downloaded the software, and as many as 1 million people have used the service simultaneously, according to a posting on Skype's Web site.

Skype's voice over Internet Protocol (VoIP) client runs on Windows XP, Mac OS X, Linux and Microsoft PocketPC.

Secunia also recommended that Skype users update to the latest version of the VoIP software.